Windows Analysis Report
PkWnPA8l7C.exe

Overview

General Information

Sample name: PkWnPA8l7C.exe
renamed because original name is a hash value
Original sample name: f65b25f3aafc048b68ede890b83367d8b67dd024d5463244a8d341abef7c0cb8.exe
Analysis ID: 1558737
MD5: 45c679d5074f022c80fa610f7f7e22af
SHA1: 5f4d48fc9e058c1b38daa538a98bc75d43f60f03
SHA256: f65b25f3aafc048b68ede890b83367d8b67dd024d5463244a8d341abef7c0cb8
Tags: crypto-st--artexeuser-JAMESWT_MHT
Infos:

Detection

DBatLoader, TVrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected TVrat
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PkWnPA8l7C.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\Installer\47b52d.msi Avira: detection malicious, Label: TR/Spy.Pavica.utbzg
Source: C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\is-8AVPK.tmp Avira: detection malicious, Label: TR/Spy.Pavica.utbzg
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\SHFolder.dll Avira: detection malicious, Label: TR/AD.RMSRatKit.zjpum
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\SHFolder.dll ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: PkWnPA8l7C.exe ReversingLabs: Detection: 44%
Yara detected TVrat
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: apphost.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8920A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 8_2_6B8920A0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B878010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 8_2_6B878010
Source: apphost.exe, 00000008.00000002.4845103456.000000006B8DB000.00000002.00000001.01000000.00000016.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_2000c389-c
Uses 32bit PE files
Source: PkWnPA8l7C.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.68:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.68:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: PkWnPA8l7C.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.6.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.6.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstCrp.pdbGCTL source: apphost.exe, 00000008.00000002.4867536221.000000006CF3A000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: libjpeg-turbo-win.dll.6.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbGCTL source: apphost.exe, 00000008.00000002.4848584612.000000006C33D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: apphost.exe, 00000008.00000002.4848584612.000000006C33D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: apphost.exe, 00000008.00000002.4865624428.000000006CBB2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: libjpeg-turbo-win.dll.6.dr
Source: Binary string: D:\ProjectsVS2022\NoMy\ssl\openssl-1.1.1s\build-x86\libssl-1_1.pdb source: apphost.exe, 00000008.00000002.4859963343.000000006C908000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: apphost.exe, 00000008.00000002.4865624428.000000006CBB2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /Zc:threadSafeInit- -D_USING_V110_SDK71_ /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Fri Nov 11 06:44:55 2022 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"userSDIR: "C:\Program Files (x86)\OpenSSL\lib\users-1_1"not availabledes(long) source: apphost.exe, 00000008.00000002.4855754946.000000006C792000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstCrp.pdb source: apphost.exe, 00000008.00000002.4867536221.000000006CF3A000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: apphost.exe, 00000008.00000002.4869204560.000000006CFB7000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 47b52d.msi.6.dr, is-8AVPK.tmp.4.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbGCTL source: apphost.exe, 00000008.00000002.4869204560.000000006CFB7000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /Zc:threadSafeInit- -D_USING_V110_SDK71_ /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: apphost.exe, 00000008.00000002.4855754946.000000006C792000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2022\NoMy\ssl\openssl-1.1.1s\build-x86\libcrypto-1_1.pdb source: apphost.exe, 00000008.00000002.4855754946.000000006C806000.00000002.00000001.01000000.00000013.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_3_070021D5 FindFirstFileA, 11_3_070021D5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs\NETCore\native Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs\NETCore Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8A07E0 recv,WSAGetLastError, 8_2_6B8A07E0
Source: global traffic DNS traffic detected: DNS query: dns.xn--80akicokc0aablc.xn--p1ai
Source: global traffic DNS traffic detected: DNS query: id-proxy.service.ast
Source: unknown HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 276
Source: libjpeg-turbo-win.dll.6.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: libjpeg-turbo-win.dll.6.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: astprint.dll.6.dr String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: astprint.dll.6.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: astprint.dll.6.dr String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: astprint.dll.6.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: apphost.exe, 00000008.00000002.4655595509.0000000002960000.00000004.00000020.00020000.00000000.sdmp, apphost.exe, 0000000B.00000002.2404066170.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp, apphost.exe, 0000000D.00000002.2483588355.0000000002B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crypto-st.art/update.php
Source: apphost.exe, 0000000D.00000002.2483588355.0000000002B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crypto-st.art/update.php:
Source: libjpeg-turbo-win.dll.6.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: astprint.dll.6.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: apphost.exe, 00000008.00000002.4654404850.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: apphost.exe, 0000000B.00000002.2402847178.0000000000F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types
Source: apphost.exe, 00000008.00000002.4654404850.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/TypesY
Source: apphost.exe, 00000008.00000002.4654404850.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesw
Source: PkWnPA8l7C.exe, 00000000.00000003.2186455242.0000000002420000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.exe, 00000000.00000003.2186729615.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000002.00000000.2187510526.0000000000401000.00000020.00000001.01000000.00000004.sdmp, PkWnPA8l7C.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: PkWnPA8l7C.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PkWnPA8l7C.exe, 00000000.00000003.2195802665.0000000002282000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000002.00000003.2192014920.00000000022F3000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.exe, 00000003.00000003.2283571862.00000000021D6000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000004.00000003.2278327653.0000000002293000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.kngstr.com/?PreDefines.ish
Source: PkWnPA8l7C.exe, 00000000.00000003.2195802665.000000000226C000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.exe, 00000000.00000003.2185353502.0000000002420000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000002.00000003.2188513512.0000000003250000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000002.00000003.2192014920.00000000022FA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.kngstr.com/?PreDefines.ishAbout
Source: apphost.exe, 00000008.00000000.2258462883.00000000009A7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.openssl.org/)
Source: PkWnPA8l7C.exe, 00000000.00000003.2186455242.0000000002420000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.exe, 00000000.00000003.2186729615.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, PkWnPA8l7C.tmp, 00000002.00000000.2187510526.0000000000401000.00000020.00000001.01000000.00000004.sdmp, PkWnPA8l7C.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: apphost.exe, 0000000B.00000002.2405684508.0000000061EA0000.00000008.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: apphost.exe, 00000008.00000002.4845373733.000000006B8F4000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://curl.haxx.se/V
Source: apphost.exe, 00000008.00000002.4845373733.000000006B8F4000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: apphost.exe, apphost.exe, 00000008.00000002.4845103456.000000006B8DB000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: apphost.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: apphost.exe, 00000008.00000000.2258462883.00000000009A7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: apphost.exe, 00000008.00000000.2258462883.00000000009A7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: apphost.exe, 00000008.00000000.2258462883.00000000009A7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: apphost.exe, 00000008.00000002.4654404850.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn-
Source: apphost.exe, 00000008.00000002.4804940436.000000003B833000.00000004.00001000.00020000.00000000.sdmp, apphost.exe, 00000008.00000002.4655830846.0000000002F74000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
Source: apphost.exe, 00000008.00000002.4870017873.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai185.40.77.244
Source: apphost.exe, 00000008.00000003.2377937734.0000000005D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai43
Source: apphost.exe, 00000008.00000003.2377937734.0000000005D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai431E
Source: apphost.exe, 00000008.00000003.2377937734.0000000005D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai43_Z
Source: apphost.exe, 00000008.00000002.4683162856.000000000B09C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiU
Source: apphost.exe, 00000008.00000002.4655830846.0000000002F74000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid03
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://idcorp.xn--80akicokc0aablc.xn--p1ai
Source: astprint.dll.6.dr String found in binary or memory: https://sectigo.com/CPS0B
Source: astprint.dll.6.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: apphost.exe, 00000008.00000002.4860514826.000000006C936000.00000002.00000001.01000000.00000012.sdmp, apphost.exe, 00000008.00000002.4857649287.000000006C83A000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.openssl.org/H
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://xn--80akicokc0aablc.xn--p1ai
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.68:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.118:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.40.77.244:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.68:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.239.29.61:443 -> 192.168.2.6:49884 version: TLS 1.2
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_070046CF GetCursorPos,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetCursorPos,Sleep,Sleep, 11_2_070046CF
Yara detected Keylogger Generic
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: apphost.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED

E-Banking Fraud
barindex
Yara detected TVrat
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: apphost.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B878010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 8_2_6B878010
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\47b52d.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB8F6.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB964.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9B3.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9D4.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBA13.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{BDE6A54B-49F9-4986-8B51-424F44D5E7DF} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBAA1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIB8F6.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B89FEF0 8_2_6B89FEF0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B872D20 8_2_6B872D20
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B877380 8_2_6B877380
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B89A790 8_2_6B89A790
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B877730 8_2_6B877730
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8A6F40 8_2_6B8A6F40
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8A75D0 8_2_6B8A75D0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B891170 8_2_6B891170
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B89DCD0 8_2_6B89DCD0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8CBCF0 8_2_6B8CBCF0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_3_070016F9 11_3_070016F9
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E218FA 11_2_61E218FA
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E4100E 11_2_61E4100E
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E15A83 11_2_61E15A83
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E4E294 11_2_61E4E294
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E38D3B 11_2_61E38D3B
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E4151E 11_2_61E4151E
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E23C36 11_2_61E23C36
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E3BF85 11_2_61E3BF85
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E1F6C5 11_2_61E1F6C5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E1CE5B 11_2_61E1CE5B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Programs\NETCore\native\AstCrp.dll 45E87D7421B6B65C207E8D564A4E54DCDAB7B104B83341F63D348F8894BDE992
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe BEFFE9A402B7721009674866AD773008C90B6AF543973ABDFB81391AF4EB7146
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: String function: 6B8A05D0 appears 84 times
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: String function: 6B8A06B0 appears 53 times
PE file contains executable resources (Code or Archives)
Source: PkWnPA8l7C.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: PkWnPA8l7C.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: PkWnPA8l7C.tmp.3.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: PkWnPA8l7C.tmp.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file contains more sections than normal
Source: sqlite3.dll.6.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: PkWnPA8l7C.exe, 00000000.00000003.2186729615.000000007FE36000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs PkWnPA8l7C.exe
Source: PkWnPA8l7C.exe, 00000000.00000003.2186455242.000000000254A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs PkWnPA8l7C.exe
Uses 32bit PE files
Source: PkWnPA8l7C.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/55@1032/5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_07004193 CreateToolhelp32Snapshot,Process32First,Process32Next,CharUpperA,lstrcmpA,Sleep, 11_2_07004193
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Mutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E T
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Mutant created: \Sessions\1\BaseNamedObjects\3 @
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470Din
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe File created: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp Jump to behavior
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: apphost.exe, 0000000B.00000002.2405511830.0000000061E8B000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PkWnPA8l7C.exe ReversingLabs: Detection: 44%
Source: PkWnPA8l7C.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe File read: C:\Users\user\Desktop\PkWnPA8l7C.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PkWnPA8l7C.exe "C:\Users\user\Desktop\PkWnPA8l7C.exe"
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process created: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp "C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp" /SL5="$203F0,10588883,201216,C:\Users\user\Desktop\PkWnPA8l7C.exe"
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process created: C:\Users\user\Desktop\PkWnPA8l7C.exe "C:\Users\user\Desktop\PkWnPA8l7C.exe" /verysilent /password=3ckn8
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process created: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp "C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp" /SL5="$203F6,10588883,201216,C:\Users\user\Desktop\PkWnPA8l7C.exe" /verysilent /password=3ckn8
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" -i "C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\apphost.msi" -qn
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 91846BE942879C492C45F5EB1CE7B614
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe "C:\Users\user\AppData\Local\programs\NETCore\native\apphost.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe "C:\Users\user\AppData\Local\programs\NETCore\native\apphost.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe "C:\Users\user\AppData\Local\programs\NETCore\native\apphost.exe"
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process created: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp "C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp" /SL5="$203F0,10588883,201216,C:\Users\user\Desktop\PkWnPA8l7C.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process created: C:\Users\user\Desktop\PkWnPA8l7C.exe "C:\Users\user\Desktop\PkWnPA8l7C.exe" /verysilent /password=3ckn8 Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process created: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp "C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp" /SL5="$203F6,10588883,201216,C:\Users\user\Desktop\PkWnPA8l7C.exe" /verysilent /password=3ckn8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" -i "C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\apphost.msi" -qn Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 91846BE942879C492C45F5EB1CE7B614 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe "C:\Users\user\AppData\Local\programs\NETCore\native\apphost.exe" Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File written: C:\Users\user\AppData\Local\Programs\NETCore\native\config.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PkWnPA8l7C.exe Static file information: File size 11051247 > 1048576
Source: PkWnPA8l7C.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.6.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.6.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstCrp.pdbGCTL source: apphost.exe, 00000008.00000002.4867536221.000000006CF3A000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: libjpeg-turbo-win.dll.6.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbGCTL source: apphost.exe, 00000008.00000002.4848584612.000000006C33D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: apphost.exe, 00000008.00000002.4848584612.000000006C33D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: apphost.exe, 00000008.00000002.4865624428.000000006CBB2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: libjpeg-turbo-win.dll.6.dr
Source: Binary string: D:\ProjectsVS2022\NoMy\ssl\openssl-1.1.1s\build-x86\libssl-1_1.pdb source: apphost.exe, 00000008.00000002.4859963343.000000006C908000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: apphost.exe, 00000008.00000002.4865624428.000000006CBB2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /Zc:threadSafeInit- -D_USING_V110_SDK71_ /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Fri Nov 11 06:44:55 2022 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"userSDIR: "C:\Program Files (x86)\OpenSSL\lib\users-1_1"not availabledes(long) source: apphost.exe, 00000008.00000002.4855754946.000000006C792000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstCrp.pdb source: apphost.exe, 00000008.00000002.4867536221.000000006CF3A000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: apphost.exe, 00000008.00000002.4869204560.000000006CFB7000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 47b52d.msi.6.dr, is-8AVPK.tmp.4.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbGCTL source: apphost.exe, 00000008.00000002.4869204560.000000006CFB7000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /Zc:threadSafeInit- -D_USING_V110_SDK71_ /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: apphost.exe, 00000008.00000002.4855754946.000000006C792000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2022\NoMy\ssl\openssl-1.1.1s\build-x86\libcrypto-1_1.pdb source: apphost.exe, 00000008.00000002.4855754946.000000006C806000.00000002.00000001.01000000.00000013.sdmp

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8AACC0 GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 8_2_6B8AACC0
PE file contains sections with non-standard names
Source: apphost.exe.6.dr Static PE information: section name: JCLDEBUG
Source: astrct.dll.6.dr Static PE information: section name: .rodata
Source: hatls.dll.6.dr Static PE information: section name: .textbss
Source: hatls.dll.6.dr Static PE information: section name: .msvcjmc
Source: hatls.dll.6.dr Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.6.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.6.dr Static PE information: section name: .00cfg
Source: SHFolder.dll.6.dr Static PE information: section name: .code
Source: sqlite3.dll.6.dr Static PE information: section name: /4
Source: sqlite3.dll.6.dr Static PE information: section name: /19
Source: sqlite3.dll.6.dr Static PE information: section name: /31
Source: sqlite3.dll.6.dr Static PE information: section name: /45
Source: sqlite3.dll.6.dr Static PE information: section name: /57
Source: sqlite3.dll.6.dr Static PE information: section name: /70
Source: sqlite3.dll.6.dr Static PE information: section name: /81
Source: sqlite3.dll.6.dr Static PE information: section name: /92
Source: vcruntime140.dll.6.dr Static PE information: section name: _RDATA
Source: vcruntime140d.dll.6.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8D9F78 push ecx; ret 8_2_6B8D9F76
Source: msvcr120.dll.6.dr Static PE information: section name: .text entropy: 6.95576372950548
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp File created: C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\libssl-1_1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB8F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB964.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\libjpeg-turbo-win.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\AstCrp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\vcruntime140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\SHFolder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\vcruntime140d.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp File created: C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBA13.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\astrct.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\astclient.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\aw_sas32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\msvcr120.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp File created: C:\Users\user\AppData\Local\Temp\is-1SNR1.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\astprint.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9D4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\hatls.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\opus.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\vcomp140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9B3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\libcrypto-1_1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\libcryptoMD.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\libcurl.dll Jump to dropped file
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe File created: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Programs\NETCore\native\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe File created: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp File created: C:\Users\user\AppData\Local\Temp\is-1SNR1.tmp\_isetup\_setup64.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9D4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB8F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB964.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB9B3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBA13.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce net Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce net Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce net Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce net Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PkWnPA8l7C.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Section loaded: OutputDebugStringW count: 1843
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe RDTSC instruction interceptor: First address: 74BD2E second address: 74BD34 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe RDTSC instruction interceptor: First address: 74BD34 second address: 74BD44 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F52A4EFCD46h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe RDTSC instruction interceptor: First address: 74BD44 second address: 74BD4A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe RDTSC instruction interceptor: First address: 74BD4A second address: 74BD44 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F52A4EFCD46h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F52A4EFCD55h 0x0000000d dec ecx 0x0000000e jne 00007F52A4EFCD39h 0x00000010 rdtsc
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: GetCursorPos,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetCursorPos,Sleep,Sleep, 11_2_070046CF
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Window / User API: threadDelayed 2883 Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Window / User API: threadDelayed 3769 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\aw_sas32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1SNR1.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\astprint.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB9D4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\hatls.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB8F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB964.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\libjpeg-turbo-win.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\opus.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\AstCrp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\vcomp140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\vcruntime140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB9B3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\libcurl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\libcryptoMD.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QDG64.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\astrct.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIBA13.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NETCore\native\astclient.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1SNR1.tmp\_isetup\_setup64.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe API coverage: 7.4 %
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe API coverage: 3.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe TID: 3700 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe TID: 3700 Thread sleep time: -3769000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: PhysicalDrive0 Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Thread sleep count: Count: 2883 delay: -10 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_3_070021D5 FindFirstFileA, 11_3_070021D5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs\NETCore\native Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs\NETCore Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe File opened: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: VMware
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: VBoxService.exe
Source: PkWnPA8l7C.tmp, 00000002.00000002.2194743944.000000000080B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: PkWnPA8l7C.tmp, 00000002.00000002.2194743944.000000000080B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#
Source: apphost.exe, 00000008.00000002.4654404850.0000000000F0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: VBoxService.exeU
Source: apphost.exe, 0000000D.00000003.2480121625.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: apphost.exe, 0000000B.00000003.2397135295.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%
Source: C:\Users\user\AppData\Local\Temp\is-M8GAV.tmp\PkWnPA8l7C.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6B8CEFE1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8AACC0 GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 8_2_6B8AACC0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8D1C01 mov eax, dword ptr fs:[00000030h] 8_2_6B8D1C01
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8CC43E mov eax, dword ptr fs:[00000030h] 8_2_6B8CC43E
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_07004BCB mov edi, dword ptr fs:[00000030h] 11_2_07004BCB
Enables debug privileges
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe "C:\Users\user\AppData\Local\programs\NETCore\native\apphost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6B8CEFE1
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8BDC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6B8BDC3A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-J3O08.tmp\PkWnPA8l7C.tmp Process created: C:\Users\user\Desktop\PkWnPA8l7C.exe "C:\Users\user\Desktop\PkWnPA8l7C.exe" /verysilent /password=3ckn8 Jump to behavior
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndSVW
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWnd
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: apphost.exe, 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndTrayNotifyWndSV
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8CFBD1 GetSystemTimeAsFileTime, 8_2_6B8CFBD1
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_07004FAD GetUserNameA, 11_2_07004FAD
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: apphost.exe, apphost.exe, 0000000B.00000002.2404717489.0000000007003000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: PROCEXP.EXE

Stealing of Sensitive Information
barindex
Yara detected TVrat
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: apphost.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected TVrat
Source: Yara match File source: 8.0.apphost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2256787876.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: apphost.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8739A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 8_2_6B8739A0
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 8_2_6B8A6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 8_2_6B8A6D50
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E168FD sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings, 11_2_61E168FD
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E283DC sqlite3_bind_blob64, 11_2_61E283DC
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E283B5 sqlite3_mutex_leave,sqlite3_bind_blob, 11_2_61E283B5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E285E9 sqlite3_bind_zeroblob,sqlite3_mutex_leave, 11_2_61E285E9
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E095A5 sqlite3_bind_parameter_index, 11_2_61E095A5
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E285B8 sqlite3_bind_null,sqlite3_mutex_leave, 11_2_61E285B8
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E03587 sqlite3_bind_parameter_name, 11_2_61E03587
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E28592 sqlite3_bind_int,sqlite3_bind_int64, 11_2_61E28592
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E03575 sqlite3_bind_parameter_count, 11_2_61E03575
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E28543 sqlite3_bind_int64,sqlite3_mutex_leave, 11_2_61E28543
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E284DE sqlite3_bind_double,sqlite3_mutex_leave, 11_2_61E284DE
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E284B7 sqlite3_bind_text16, 11_2_61E284B7
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E2844A sqlite3_bind_text64, 11_2_61E2844A
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E28423 sqlite3_bind_text, 11_2_61E28423
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E1672A sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 11_2_61E1672A
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E2873D sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave, 11_2_61E2873D
Source: C:\Users\user\AppData\Local\Programs\NETCore\native\apphost.exe Code function: 11_2_61E28656 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob, 11_2_61E28656
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558737 Sample: PkWnPA8l7C.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 58 id-proxy.service.ast 2->58 60 dns.xn--80akicokc0aablc.xn--p1ai 2->60 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 3 other signatures 2->74 10 msiexec.exe 11 63 2->10         started        13 PkWnPA8l7C.exe 2 2->13         started        15 apphost.exe 4 2->15         started        17 apphost.exe 4 2->17         started        signatures3 process4 file5 40 C:\Windows\Installer\MSIBA13.tmp, PE32 10->40 dropped 42 C:\Windows\Installer\MSIB9D4.tmp, PE32 10->42 dropped 44 C:\Windows\Installer\MSIB9B3.tmp, PE32 10->44 dropped 48 22 other files (19 malicious) 10->48 dropped 19 apphost.exe 26 4 10->19         started        23 msiexec.exe 10->23         started        46 C:\Users\user\AppData\...\PkWnPA8l7C.tmp, PE32 13->46 dropped 25 PkWnPA8l7C.tmp 3 12 13->25         started        process6 dnsIp7 62 195.239.29.61, 443, 49795, 49823 SOVAM-ASRU Russian Federation 19->62 64 212.193.169.65, 443, 49801, 49818 SAFIB-ASRU Russian Federation 19->64 66 3 other IPs or domains 19->66 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->76 78 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->78 80 Tries to delay execution (extensive OutputDebugStringW loop) 19->80 82 2 other signatures 19->82 36 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 25->36 dropped 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->38 dropped 28 PkWnPA8l7C.exe 2 25->28         started        file8 signatures9 process10 file11 50 C:\Users\user\AppData\...\PkWnPA8l7C.tmp, PE32 28->50 dropped 31 PkWnPA8l7C.tmp 3 12 28->31         started        process12 file13 52 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 31->52 dropped 54 C:\Users\user\AppData\Local\...\is-8AVPK.tmp, Composite 31->54 dropped 56 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->56 dropped 34 msiexec.exe 31->34         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.169.65
 unknown Russian Federation
60329 SAFIB-ASRU false
185.40.77.244
 unknown Russian Federation
199427 DATAHARBOUR-ASRU false
185.40.77.118
 unknown Russian Federation
199427 DATAHARBOUR-ASRU false
212.193.169.68
 id-proxy.service.ast Russian Federation
60329 SAFIB-ASRU false
195.239.29.61
 unknown Russian Federation
3216 SOVAM-ASRU false

Contacted Domains

Name IP Active
dns.xn--80akicokc0aablc.xn--p1ai 62.105.131.170 true
id-proxy.service.ast 212.193.169.68 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec false
    		high