Edit tour

Windows Analysis Report
B06 Chair + Blocker.exe

Overview

General Information

Sample name:	B06 Chair + Blocker.exe
Analysis ID:	1579147
MD5:	a5f8f80600715c10513c5cc715e1de93
SHA1:	c13b2285b98f6a800ff001e64ada0035b88a8bda
SHA256:	a849f249a6651e91fc8777e00ba148c5fd6e29f051145f7f7ff9008ad2e9ffd3
Tags:	exeMalwareuser-fdghbngfdhb
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Excessive usage of taskkill to terminate processes

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect virtualization through RDTSC time measurements

Uses powercfg.exe to modify the power settings

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Too many similar processes found

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

B06 Chair + Blocker.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5: A5F8F80600715C10513C5CC715E1DE93)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2784 cmdline: "C:\Windows\System32\cmd.exe" /C Powercfg -h off MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2720 cmdline: Powercfg -h off MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

cmd.exe (PID: 3180 cmdline: "C:\Windows\System32\cmd.exe" /C Powercfg -h off MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2716 cmdline: Powercfg -h off MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 732 cmdline: powershell "Confirm-SecureBootUEFI" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7124 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6168 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7160 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5724 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7120 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2852 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6036 cmdline: cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5940 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 4108 cmdline: cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2080 cmdline: taskkill /IM HTTPDebuggerSvc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2056 cmdline: cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 7092 cmdline: certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

cmd.exe (PID: 732 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6552 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1740 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2448 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2056 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5348 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4304 cmdline: cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3244 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 2368 cmdline: cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6168 cmdline: taskkill /IM HTTPDebuggerSvc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6036 cmdline: cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 1516 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7124 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7164 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2916 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7136 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 2080 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4820 cmdline: cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1900 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3140 cmdline: cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1216 cmdline: taskkill /IM HTTPDebuggerSvc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3180 cmdline: cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5144 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4840 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6036 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1368 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6168 cmdline: cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7208 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5720 cmdline: cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7236 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 2368 cmdline: cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1308 cmdline: taskkill /IM HTTPDebuggerSvc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2416 cmdline: cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "Confirm-SecureBootUEFI" , CommandLine: powershell "Confirm-SecureBootUEFI" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5756, ParentProcessName: cmd.exe, ProcessCommandLine: powershell "Confirm-SecureBootUEFI" , ProcessId: 732, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: B06 Chair + Blocker.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: B06 Chair + Blocker.exe

Joe Sandbox ML: detected

Source: B06 Chair + Blocker.exe, 00000000.00000002.2919884022.00007FF793378000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_eabb4ab0-f

Source: unknown	HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: B06 Chair + Blocker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: limited\x64\Release\w1nner.pdb source: B06 Chair + Blocker.exe, 00000000.00000002.2919903076.00007FF794796000.00000004.00000001.01000000.00000003.sdmp

Source: global traffic	HTTP traffic detected: POST /api/1.2/ HTTP/1.1Host: keyauth.winAccept: /Content-Length: 90Content-Type: application/x-www-form-urlencoded
Source: global traffic	HTTP traffic detected: POST /api/1.2/ HTTP/1.1Host: keyauth.winAccept: /Content-Length: 124Content-Type: application/x-www-form-urlencoded

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: unknown

HTTP traffic detected: POST /api/1.2/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 90Content-Type: application/x-www-form-urlencoded

Source: B06 Chair + Blocker.exe, 00000000.00000002.2919884022.00007FF793378000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000003.1786520516.0000014F6F93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.cc/panel/WOOFER123/B06-CHEAT/
Source: B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919503818.0000014F6F87C000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: B06 Chair + Blocker.exe, 00000000.00000002.2919503818.0000014F6F87C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/dll
Source: B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/m
Source: B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/mY
Source: B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/pace

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: cmd.exe

Process created: 49

System Summary

PE file contains section with special chars

Source: B06 Chair + Blocker.exe	Static PE information: section name: . yi
Source: B06 Chair + Blocker.exe	Static PE information: section name: .\`#

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe Powercfg -h off

Source: B06 Chair + Blocker.exe, 00000000.00000002.2919903076.00007FF794796000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameHamakaze.exe( vs B06 Chair + Blocker.exe

Source: classification engine

Classification label: mal84.evad.winEXE@101/30@1/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hehvdpjw.lmq.ps1

Jump to behavior

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: B06 Chair + Blocker.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\B06 Chair + Blocker.exe "C:\Users\user\Desktop\B06 Chair + Blocker.exe"
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "Confirm-SecureBootUEFI"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "Confirm-SecureBootUEFI"	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "Confirm-SecureBootUEFI"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: B06 Chair + Blocker.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: B06 Chair + Blocker.exe

Static file information: File size 35106304 > 1048576

Source: B06 Chair + Blocker.exe

Static PE information: Raw size of .\`# is bigger than: 0x100000 < 0x2179200

Source: B06 Chair + Blocker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: limited\x64\Release\w1nner.pdb source: B06 Chair + Blocker.exe, 00000000.00000002.2919903076.00007FF794796000.00000004.00000001.01000000.00000003.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .\`#

Source: B06 Chair + Blocker.exe	Static PE information: section name: .HMg
Source: B06 Chair + Blocker.exe	Static PE information: section name: . yi
Source: B06 Chair + Blocker.exe	Static PE information: section name: .\`#

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Memory written: PID: 6764 base: 7FFE22370008 value: E9 EB D9 E9 FF			Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Memory written: PID: 6764 base: 7FFE2220D9F0 value: E9 20 26 16 00			Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	RDTSC instruction interceptor: First address: 7FF797810722 second address: 7FF797810750 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 inc ecx 0x00000005 bts edi, ecx 0x00000008 inc eax 0x00000009 rcl bh, cl 0x0000000b cbw 0x0000000d pop ecx 0x0000000e dec eax 0x0000000f movzx eax, bx 0x00000012 bts eax, edx 0x00000015 inc ecx 0x00000016 pop ebx 0x00000017 btr si, FF8Bh 0x0000001c dec eax 0x0000001d bt edi, FFFFFFE9h 0x00000021 inc ecx 0x00000022 pop edi 0x00000023 xor si, 2C19h 0x00000028 pop esi 0x00000029 inc ecx 0x0000002a btr esp, FFFFFFE8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	RDTSC instruction interceptor: First address: 7FF7977970C0 second address: 7FF7977970C5 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	RDTSC instruction interceptor: First address: 7FF7957083A3 second address: 7FF7957083A8 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	RDTSC instruction interceptor: First address: 7FF795628B5D second address: 7FF795628B6C instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop edx 0x00000005 inc ecx 0x00000006 pop ebx 0x00000007 dec ebp 0x00000008 cmove edi, ecx 0x0000000b dec eax 0x0000000c movzx ecx, sp 0x0000000f rdtsc
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	RDTSC instruction interceptor: First address: 7FF795626A74 second address: 7FF795626AA2 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 inc ecx 0x00000005 bts edi, ecx 0x00000008 inc eax 0x00000009 rcl bh, cl 0x0000000b cbw 0x0000000d pop ecx 0x0000000e dec eax 0x0000000f movzx eax, bx 0x00000012 bts eax, edx 0x00000015 inc ecx 0x00000016 pop ebx 0x00000017 btr si, FF8Bh 0x0000001c dec eax 0x0000001d bt edi, FFFFFFE9h 0x00000021 inc ecx 0x00000022 pop edi 0x00000023 xor si, 2C19h 0x00000028 pop esi 0x00000029 inc ecx 0x0000002a btr esp, FFFFFFE8h 0x0000002e rdtsc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Window / User API: threadDelayed 4599	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Window / User API: threadDelayed 5367	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3781	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6105	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe TID: 7012	Thread sleep time: -229950s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe TID: 7012	Thread sleep time: -268350s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep count: 3781 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep count: 6105 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: B06 Chair + Blocker.exe	Binary or memory string: 0[VmCi
Source: B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	NtProtectVirtualMemory: Indirect: 0x7FF795735706	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	NtUnmapViewOfSection: Direct from: 0x7FF7978B742C	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	NtProtectVirtualMemory: Direct from: 0x7FF7978B73D9	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	NtProtectVirtualMemory: Direct from: 0x7FF7978B73B7	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	NtOpenFile: Direct from: 0x7FF7978B74B8	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C Powercfg -h off	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt	Jump to behavior
Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe Powercfg -h off
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "Confirm-SecureBootUEFI"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: C:\Users\user\Desktop\B06 Chair + Blocker.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Disable or Modify Tools	1 Credential API Hooking	11 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
B06 Chair + Blocker.exe	34%	ReversingLabs	Win32.Malware.Generic
B06 Chair + Blocker.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.2/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://keyauth.win/api/1.2/mY	B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	false	high
https://keyauth.win/api/1.2/dll	B06 Chair + Blocker.exe, 00000000.00000002.2919503818.0000014F6F87C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://keyauth.win/api/1.2/m	B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	false	high
https://keyauth.win/api/1.2/pace	B06 Chair + Blocker.exe, 00000000.00000003.2017106336.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp	false	high
https://curl.haxx.se/docs/http-cookies.html	B06 Chair + Blocker.exe, 00000000.00000002.2919884022.00007FF793378000.00000002.00000001.01000000.00000003.sdmp	false	high
https://keyauth.cc/panel/WOOFER123/B06-CHEAT/	B06 Chair + Blocker.exe, 00000000.00000002.2919589300.0000014F6F903000.00000004.00000020.00020000.00000000.sdmp, B06 Chair + Blocker.exe, 00000000.00000003.1786520516.0000014F6F93E000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579147
Start date and time:	2024-12-20 23:01:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	60
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	B06 Chair + Blocker.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@101/30@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: B06 Chair + Blocker.exe

Simulations

Behavior and APIs

Time	Type	Description
17:02:08	API Interceptor	20x Sleep call for process: powershell.exe modified
17:02:50	API Interceptor	1583056x Sleep call for process: B06 Chair + Blocker.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Win64.Evo-gen.9614.31304.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	file.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	exe004.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	YearEnd_Benefit_Bonus_Payout__Details__ChasChas.html	Get hash	malicious	Unknown	Browse	104.16.123.96
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.164.25
	q9bzWO2X1r.msi	Get hash	malicious	Unknown	Browse	172.67.164.25
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.91.209
	https://p.usertrackjvg.top/us	Get hash	malicious	HTMLPhisher	Browse	104.21.39.136
	Setup (3).exe.zip	Get hash	malicious	Unknown	Browse	104.18.26.149
	https://contractorssteelform1flows.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.31.19
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.197.170
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	2BI8rJKpBa.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.0.5
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.26.0.5
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.26.0.5
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.26.0.5
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5
	P0RN-vidz.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.0.5
	2AIgdyA1Cl.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.0.5
	Sentinelled.vbs	Get hash	malicious	Unknown	Browse	104.26.0.5
	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	Get hash	malicious	Cobalt Strike	Browse	104.26.0.5
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	104.26.0.5

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hehvdpjw.lmq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpo2psn4.1nb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb53ky54.zmu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z4fyaoom.t55.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\secureboot_status.txt

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:ES:ES
MD5:	2308350A9839C3598B36F683FB234F10
SHA1:	F7E3B5D31E20DD06B74F82193AE6894A3688A7F9
SHA-256:	B625E5139B05722842537C7016E2E78C22D36212EAEAE63FCE2B2005B7808F33
SHA-512:	5DC4C835D8D52206DD16729F08C17179632328800F0809372C2A90F6F31729ED96F95BC4AA0B7449A2B6B2629E53B07099AF20BE73313E95F9FDCC5C81A67CBF
Malicious:	false
Preview:	False..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\B06 Chair + Blocker.exe
File Type:	ASCII text, with CRLF line terminators, with escape sequences
Category:	dropped
Size (bytes):	253
Entropy (8bit):	3.313123558721068
Encrypted:	false
SSDEEP:	6:L6JNLo60xFRU5FZFhbCyicj/NF5eOuwnnoHH08IiV06SnRyFBF:qjgFYzCyicbX87GvRWBF
MD5:	98A030BD1D954ECD91CEF19DEFBB7413
SHA1:	3EDB3201217DA03EF8DE9409072C91A8EB939CA6
SHA-256:	557924183885F288A4588F6DEB1A144F60801A177E786100A426BC33C267E27C
SHA-512:	063E473A7B210713BA4589F6EB9DBBE2EC396822EB73BDDB11FE9FB0D5D3C49F12C27E1640DF51A81AEE34A723553F5086711DA9158A4B46DECD55D37E5EA20F
Malicious:	false
Preview:	_________________ ________..\______ \ _ \ / _____/.. \| \| _/ /_\ \/ __ \ .. \| \| \ \_/ \ \|__\ \.. \|______ /\_____ /\_____ /.. \/ \/ \/ ...[0m..[+] Status: .[32mUndetected.[0m....[+] Enter License Key:

\Device\Null

Download File

Process:	C:\Windows\System32\sc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.612641754685495
Encrypted:	false
SSDEEP:	3:WuDHmzgYVhovoUWMMABhDHEKpKBWRr7ZOBFHDHna:WuTmxVQoPMxDHEKsgRHZOBFjHa
MD5:	9DABDBFADDFC26A09CFFF304EE68172A
SHA1:	2417EEF91CCCD5C736146063DEC26C20497B6C32
SHA-256:	A89681A1F82F2AAA1CC21492CA070DD217415F2ADB1F94AB340453B13AEB12F4
SHA-512:	22C3FF32F59ECCD926CF774697CB1C0EA44B9A90ADC1698090EAC9A3D8AB07FF9414A968F3ECB0E820E69ECCB0532074FAC78E1883E9D5D8153A32019EEA6722
Malicious:	false
Preview:	[SC] OpenService FAILED 1060:....The specified service does not exist as an installed service.....

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.996498649488139
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	B06 Chair + Blocker.exe
File size:	35'106'304 bytes
MD5:	a5f8f80600715c10513c5cc715e1de93
SHA1:	c13b2285b98f6a800ff001e64ada0035b88a8bda
SHA256:	a849f249a6651e91fc8777e00ba148c5fd6e29f051145f7f7ff9008ad2e9ffd3
SHA512:	998c5cb7e6c05e4b34312dfb3f532daed8cfcb50a8906af517a93de1c2c6ab513fc80d14269566ca49dcdd8b8745e1235e06e4eb617036b8da0f39869e727352
SSDEEP:	786432:awwpTyWQrj9tBJlxiObBivYpl7+5C1luXcfQhCx8z:aJyD9LJlxiOb8gpl7+5yQXcoM+z
TLSH:	CD7733997198339CC42FC0B8D433EC4AF176562F04A5D9FA76CFBE8077A9504D986B0A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{Rg.........."....(.j...4........H........@.............................P]...........`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14248f697
Entrypoint Section:	.\`#
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67527BFB [Fri Dec 6 04:22:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	33746de9cb08198c48d704fa2297a15c

Entrypoint Preview

Instruction
inc ecx
push eax
pushfd
dec ecx
mov eax, 49000B28h
ficom word ptr [eax-29h]
inc esp
inc ecx
xor al, 0000006Ah
inc ecx
xor al, FFFFFFF9h
inc ecx
setnbe al
push 588E3A2Bh
inc bp
add eax, eax
dec esp
mov eax, dword ptr [esp+10h]
dec eax
mov dword ptr [esp+10h], DA434312h
call 00007FBB5508FACCh
sub bh, byte ptr [ebp+324A302Dh]
bound esp, dword ptr [ecx]
push ecx
aad 9Eh
and dword ptr [edi+ecx*2-12h], ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6e2b8	0x230	.\`#
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45d4000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x45cab90	0x7644	.\`#
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x45d3000	0xe0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2c9c3b8	0x28	.\`#
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x45caa50	0x140	.\`#
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2457000	0x1e0	. yi
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8680c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x88000	0x1d308	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa6000	0x1b709c8	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1c17000	0x4de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.HMg	0x1c1c000	0x83a28b	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
. yi	0x2457000	0x1320	0x1400	8986c658429a96b9ee8a70801649d23a	False	0.0388671875	data	0.30364988350424044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.\`#	0x2459000	0x21791d4	0x2179200	84fa2eb8f571bf4eb1bc12d4d09f7a06	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x45d3000	0xe0	0x200	a890373a79eb85396659f4f73142d43a	False	0.357421875	data	2.341915762456445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x45d4000	0x1e0	0x200	ff197a28696ec5c4cecdc60b134e0fc1	False	0.537109375	data	4.783994763849104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x45d4058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	HeapSize
USER32.dll	UnhookWindowsHookEx
ADVAPI32.dll	CryptEncrypt
SHELL32.dll	ShellExecuteW
MSVCP140.dll	?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
ntdll.dll	RtlLookupFunctionEntry
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChainEngine
WS2_32.dll	ntohs
PSAPI.DLL	GetModuleInformation
USERENV.dll	UnloadUserProfile
VCRUNTIME140.dll	__std_terminate
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_resetstkoflw
api-ms-win-crt-string-l1-1-0.dll	strcspn
api-ms-win-crt-heap-l1-1-0.dll	malloc
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode
api-ms-win-crt-filesystem-l1-1-0.dll	remove
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-convert-l1-1-0.dll	strtoll
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-locale-l1-1-0.dll	localeconv
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
KERNEL32.dll	GetVersion
USER32.dll	CharUpperBuffW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 23:02:13.599436998 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:13.599476099 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:13.599678040 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:13.637664080 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:13.637691975 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:14.860713959 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:14.860793114 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:14.863886118 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:14.863893032 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:14.864291906 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:14.871989965 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:14.915379047 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.395122051 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.395229101 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.395428896 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.402132988 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.402152061 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.402209997 CET	49734	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.402215958 CET	443	49734	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.686675072 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.686738968 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:15.686816931 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.687896013 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:15.687913895 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:16.906028986 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:16.906115055 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:16.907377958 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:16.907397032 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:16.908198118 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:16.908556938 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:16.955342054 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:17.530740023 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:17.531084061 CET	443	49739	104.26.0.5	192.168.2.4
Dec 20, 2024 23:02:17.532202959 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:17.546257019 CET	49739	443	192.168.2.4	104.26.0.5
Dec 20, 2024 23:02:17.546277046 CET	443	49739	104.26.0.5	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 23:02:13.375636101 CET	49422	53	192.168.2.4	1.1.1.1
Dec 20, 2024 23:02:13.519134045 CET	53	49422	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 23:02:13.375636101 CET	192.168.2.4	1.1.1.1	0x1268	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 23:02:13.519134045 CET	1.1.1.1	192.168.2.4	0x1268	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Dec 20, 2024 23:02:13.519134045 CET	1.1.1.1	192.168.2.4	0x1268	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Dec 20, 2024 23:02:13.519134045 CET	1.1.1.1	192.168.2.4	0x1268	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.26.0.5	443	6764	C:\Users\user\Desktop\B06 Chair + Blocker.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 22:02:14 UTC	128	OUT	POST /api/1.2/ HTTP/1.1 Host: keyauth.win Accept: / Content-Length: 90 Content-Type: application/x-www-form-urlencoded
2024-12-20 22:02:14 UTC	90	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 31 2e 30 26 68 61 73 68 3d 61 35 66 38 66 38 30 36 30 30 37 31 35 63 31 30 35 31 33 63 35 63 63 37 31 35 65 31 64 65 39 33 0a 26 6e 61 6d 65 3d 42 30 36 2d 43 48 45 41 54 26 6f 77 6e 65 72 69 64 3d 32 45 38 41 6d 6e 4b 57 41 48 Data Ascii: type=init&ver=1.0&hash=a5f8f80600715c10513c5cc715e1de93&name=B06-CHEAT&ownerid=2E8AmnKWAH
2024-12-20 22:02:15 UTC	1184	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 22:02:15 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 451 Connection: close signature: 1b4ea0f83a7265cf544ce99f7c21203f959f676153ad928263d85918465fddd8 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=leTu0ImWORBlB3lYhbk7UXuNLvHkmH1WqpYAaGGbBqk%2BLdX1nabgi4VN7HO2kZepDZM9R9XERmsPUiMerXe3BaWcKBPC6UzHmmncVnbCkcj2Zj%2BmYfYdXGRxK%2FtS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 8f52ea6489a0429e-EWR
2024-12-20 22:02:15 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 37 30 33 26 6d 69 6e 5f 72 74 74 3d 31 36 39 37 26 72 74 74 5f 76 61 72 3d 36 34 39 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 33 34 33 26 72 65 63 76 5f 62 79 74 65 73 3d 38 37 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 36 37 31 34 33 36 26 63 77 6e 64 3d 32 30 38 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 65 61 62 30 34 32 64 61 65 37 33 30 34 65 31 35 26 74 73 3d 35 35 30 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1697&rtt_var=649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2343&recv_bytes=878&delivery_rate=1671436&cwnd=208&unsent_bytes=0&cid=eab042dae7304e15&ts=550&x=0"
2024-12-20 22:02:15 UTC	451	IN	Data Raw: 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 63 6f 64 65 22 3a 36 38 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 39 64 36 38 61 63 34 65 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 Data Ascii: {"success":true,"code":68,"message":"Initialized","sessionid":"9d68ac4e","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() funct

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.26.0.5	443	6764	C:\Users\user\Desktop\B06 Chair + Blocker.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 22:02:16 UTC	129	OUT	POST /api/1.2/ HTTP/1.1 Host: keyauth.win Accept: / Content-Length: 124 Content-Type: application/x-www-form-urlencoded
2024-12-20 22:02:16 UTC	124	OUT	Data Raw: 74 79 70 65 3d 63 68 65 63 6b 62 6c 61 63 6b 6c 69 73 74 26 68 77 69 64 3d 53 2d 31 2d 35 2d 32 31 2d 32 32 34 36 31 32 32 36 35 38 2d 33 36 39 33 34 30 35 31 31 37 2d 32 34 37 36 37 35 36 36 33 34 2d 31 30 30 32 26 73 65 73 73 69 6f 6e 69 64 3d 39 64 36 38 61 63 34 65 26 6e 61 6d 65 3d 42 30 36 2d 43 48 45 41 54 26 6f 77 6e 65 72 69 64 3d 32 45 38 41 6d 6e 4b 57 41 48 Data Ascii: type=checkblacklist&hwid=S-1-5-21-2246122658-3693405117-2476756634-1002&sessionid=9d68ac4e&name=B06-CHEAT&ownerid=2E8AmnKWAH
2024-12-20 22:02:17 UTC	1184	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 22:02:17 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 134 Connection: close signature: f944af0c8af1503ec451f74d7dce0324d0740ac5425fdf7d9172f95a00316014 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8R9yNkvWIJQn2QkjQW8fJip3QeLLAb4duqv6HL3ZW%2Bzu73E8WS3ujtEdvTv94V2jn7TFst%2F87%2FMm19pZ1AP3K8SjpEeY9PQtNXNg2mTGl5p2x48MXROzifRvTvaH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 8f52ea716b3243b5-EWR
2024-12-20 22:02:17 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 36 35 26 6d 69 6e 5f 72 74 74 3d 31 36 33 30 26 72 74 74 5f 76 61 72 3d 36 33 36 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 33 34 33 26 72 65 63 76 5f 62 79 74 65 73 3d 39 31 33 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 39 31 34 31 31 26 63 77 6e 64 3d 32 32 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 34 37 30 39 39 38 63 61 61 66 64 66 63 38 33 35 26 74 73 3d 36 33 37 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1630&rtt_var=636&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2343&recv_bytes=913&delivery_rate=1791411&cwnd=225&unsent_bytes=0&cid=470998caafdfc835&ts=637&x=0"
2024-12-20 22:02:17 UTC	134	IN	Data Raw: 7b 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 2c 22 63 6f 64 65 22 3a 30 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 6c 69 65 6e 74 20 69 73 20 6e 6f 74 20 62 6c 61 63 6b 6c 69 73 74 65 64 22 2c 22 6e 6f 6e 63 65 22 3a 22 65 66 66 36 34 33 38 35 2d 37 63 36 33 2d 34 65 32 63 2d 39 32 63 33 2d 61 61 31 30 37 37 39 61 36 30 34 32 22 2c 22 6f 77 6e 65 72 69 64 22 3a 22 32 45 38 41 6d 6e 4b 57 41 48 22 7d Data Ascii: {"success":false,"code":0,"message":"Client is not blacklisted","nonce":"eff64385-7c63-4e2c-92c3-aa10779a6042","ownerid":"2E8AmnKWAH"}

Target ID:	0
Start time:	17:02:02
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\B06 Chair + Blocker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\B06 Chair + Blocker.exe"
Imagebase:	0x7ff7932f0000
File size:	35'106'304 bytes
MD5 hash:	A5F8F80600715C10513C5CC715E1DE93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	17:02:02
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C Powercfg -h off
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	Powercfg -h off
Imagebase:	0x7ff786020000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C Powercfg -h off
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 5756, Parent PID: 6764

General

Target ID:	6
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell "Confirm-SecureBootUEFI"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:02:07
Start date:	20/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	Powercfg -h off
Imagebase:	0x7ff786020000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff70f330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM HTTPDebuggerSvc.exe /F
Imagebase:	0x7ff7699e0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff68f410000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:02:11
Start date:	20/12/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\B06 Chair + Blocker.exe" MD5
Imagebase:	0x7ff6bb5a0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 1740, Parent PID: 6764

General

Target ID:	24
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 6552, Parent PID: 732

General

Target ID:	25
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 4304, Parent PID: 6764

General

Target ID:	27
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 2448, Parent PID: 1740

General

Target ID:	28
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 6036, Parent PID: 6764

General

Target ID:	30
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 3244, Parent PID: 4304

General

Target ID:	31
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff68f410000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	17:02:12
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM HTTPDebuggerSvc.exe /F
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7164, Parent PID: 6764

General

Target ID:	35
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7136, Parent PID: 6764

General

Target ID:	36
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 7124, Parent PID: 1516

General

Target ID:	37
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 2080, Parent PID: 7136

General

Target ID:	40
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 1900, Parent PID: 4820

General

Target ID:	42
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff68f410000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 1216, Parent PID: 3140

General

Target ID:	44
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM HTTPDebuggerSvc.exe /F
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff793070000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM HTTPDebuggerSvc.exe /F
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff63c400000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	17:02:14
Start date:	20/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff68f410000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report B06 Chair + Blocker.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

DDoS

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hehvdpjw.lmq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpo2psn4.1nb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb53ky54.zmu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z4fyaoom.t55.psm1

C:\secureboot_status.txt

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
B06 Chair + Blocker.exe