Edit tour

Windows Analysis Report
CF537GfmKa.exe

Overview

General Information

Sample name:	CF537GfmKa.exe renamed because original name is a hash value
Original sample name:	5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd.exe
Analysis ID:	1589527
MD5:	834c7fd865eee5f7e17a3a1fb62e7051
SHA1:	0246696395c8514494435f645cdff034d70d0951
SHA256:	5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd
Tags:	exefunklockerfunksecransomwareRustyStealeruser-TheRavenFile
Infos:

Detection

FunkLocker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FunkLocker Ransomware

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates files in the recycle bin to hide itself

Disables Windows Defender (via service or powershell)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Sigma detected: Disable of ETW Trace

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Classification

Process Tree

System is w10x64

CF537GfmKa.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\CF537GfmKa.exe" MD5: 834C7FD865EEE5F7E17A3A1FB62E7051)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 5480 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 6992 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

tasklist.exe (PID: 7072 cmdline: "tasklist" /fi "IMAGENAME eq vmware" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

powershell.exe (PID: 7152 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7232 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7124 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 6740 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 1700 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 1544 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 4008 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: CF537GfmKa.exe PID: 6760	JoeSecurity_funklocker	Yara detected FunkLocker Ransomware	Joe Security

Sigma Signatures

System Summary

Sigma detected: Disable of ETW Trace

Source: Process started

Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CF537GfmKa.exe", ParentImage: C:\Users\user\Desktop\CF537GfmKa.exe, ParentProcessId: 6760, ParentProcessName: CF537GfmKa.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 7124, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CF537GfmKa.exe", ParentImage: C:\Users\user\Desktop\CF537GfmKa.exe, ParentProcessId: 6760, ParentProcessName: CF537GfmKa.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7152, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Source: Process started

Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7124, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, ProcessId: 6740, ProcessName: wevtutil.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CF537GfmKa.exe", ParentImage: C:\Users\user\Desktop\CF537GfmKa.exe, ParentProcessId: 6760, ParentProcessName: CF537GfmKa.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 4008, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CF537GfmKa.exe", ParentImage: C:\Users\user\Desktop\CF537GfmKa.exe, ParentProcessId: 6760, ParentProcessName: CF537GfmKa.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7152, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\CK3Wg2mN4T.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: CF537GfmKa.exe	Virustotal: Detection: 66%			Perma Link
Source: CF537GfmKa.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source: unknown

HTTPS traffic detected: 199.232.196.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: CF537GfmKa.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: dev.pdbw source: CF537GfmKa.exe
Source:	Binary string: dev.pdb source: CF537GfmKa.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: Joe Sandbox View

IP Address: 199.232.196.193 199.232.196.193

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: global traffic

DNS traffic detected: DNS query: i.imgur.com

Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501691000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.00000145016C5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501691000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.00000145016C5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501691000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.00000145016C5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145015FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: CF537GfmKa.exe, 00000000.00000003.1909014710.00000145016C5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.0000014501630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.live.com/0CR%1/30
Source: CF537GfmKa.exe	String found in binary or memory: http://ns.adobe.
Source: powershell.exe, 00000008.00000002.1756212996.00000229433C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
Source: powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1733064682.0000022933C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1733064682.0000022933351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1733064682.0000022933C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: powershell.exe, 00000008.00000002.1733064682.0000022933351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.1733064682.0000022934666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CF537GfmKa.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016FD000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.0000014501686000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016EA000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016CB000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: CF537GfmKa.exe	String found in binary or memory: https://getsession.org/
Source: powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1733064682.0000022934666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: CF537GfmKa.exe	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m-vnext.sqlazurelabs.com/
Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000008.00000002.1756212996.00000229433C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: CF537GfmKa.exe, 00000000.00000003.1905282842.0000014501655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: CF537GfmKa.exe	String found in binary or memory: https://www.blockchain.com/)
Source: CF537GfmKa.exe	String found in binary or memory: https://www.coinbase.com/)
Source: CF537GfmKa.exe	String found in binary or memory: https://www.torproject.org/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 199.232.196.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_920ebda5-c

Spam, unwanted Advertisements and Ransom Demands

Yara detected FunkLocker Ransomware

Source: Yara match

File source: Process Memory Space: CF537GfmKa.exe PID: 6760, type: MEMORYSTR

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: CF537GfmKa.exe, 00000000.00000003.1881981187.00000145023BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameIntegrator.exeB vs CF537GfmKa.exe

Source: CF537GfmKa.exe	Binary string: Failed to open \Device\Afd\Mio: X
Source: CF537GfmKa.exe	Binary string: 0\Device\Afd\Mio

Source: CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectClass
Source: CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectsClass

Source: classification engine

Classification label: mal100.rans.evad.winEXE@21/157@1/1

Source: C:\Users\user\Desktop\CF537GfmKa.exe

File created: C:\Users\user\Desktop\README-IeCSISq4gi.md

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmdz15gz.uy3.ps1

Jump to behavior

Source: CF537GfmKa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'

Source: C:\Users\user\Desktop\CF537GfmKa.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE SchemaVersions(schema_id INTEGER PRIMARY KEY NOT NULL, SchemaVersion INTEGER NOT NULL, GitSHA1 TEXT NOT NULL , UNIQUE (SchemaVersion, GitSHA1));
Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: CF537GfmKa.exe	Virustotal: Detection: 66%
Source: CF537GfmKa.exe	ReversingLabs: Detection: 71%

Source: CF537GfmKa.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: C:\Users\user\Desktop\CF537GfmKa.exe

File read: C:\Users\user\Desktop\CF537GfmKa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CF537GfmKa.exe "C:\Users\user\Desktop\CF537GfmKa.exe"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\net.exe "net" session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CF537GfmKa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CF537GfmKa.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: CF537GfmKa.exe

Static file information: File size 5482496 > 1048576

Source: CF537GfmKa.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37c600
Source: CF537GfmKa.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18bc00

Source: CF537GfmKa.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: CF537GfmKa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dev.pdbw source: CF537GfmKa.exe
Source:	Binary string: dev.pdb source: CF537GfmKa.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CF537GfmKa.exe

File created: C:\Users\CK3Wg2mN4T.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\CF537GfmKa.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7432	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2217	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2109	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2048	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7051	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2526	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep count: 7432 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep count: 2217 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8	Thread sleep count: 2109 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428	Thread sleep count: 2048 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3852	Thread sleep count: 7051 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep count: 2526 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=/
Source: tasklist.exe, 00000004.00000003.1693814599.000001A494E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000004.00000003.1693814599.000001A494E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000003.1693814599.000001A494E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMAGENAME eq vmware
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:22.600][MicrosoftEdgeUpdate:msedgeupdate][3356:4472][Send][url=https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/latest?action=select][request={"targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.96,"AppTargetVersionPrefix":"","AppVersion":"1.3.147.37","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"core","IsInternalUser":false,"IsMachine":true,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.147.37"}}][filename=]
Source: CF537GfmKa.exe	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LB8@
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eeKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=/
Source: CF537GfmKa.exe	Binary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:35.318][MicrosoftEdgeUpdate:msedgeupdate][4092:4100][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_stable=INBX&appChannel_stable=4&appConsentState_stable=0&appDayOfInstall_stable=0&appInstallTimeDiffSec_stable=0&appLastLaunchTime_stable=0&appUpdateCheckIsUpdateDisabled_stable=false&appVersion_stable=92.0.902.67&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osPlatform=win&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.147.37][request=][filename=]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=/
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ePXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=/
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:10.568][MicrosoftEdgeUpdate:msedgeupdate][4796:8636][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"","AppRollout":0.63,"AppTargetVersionPrefix":"","AppVersion":"","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"otherinstallcmd","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":10,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: tasklist.exe, 00000004.00000002.1694203560.000001A494E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000004.00000002.1694203560.000001A494E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000004.00000002.1694119831.000001A494DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tasklist" /fi "IMAGENAME eq vmware"
Source: tasklist.exe, 00000004.00000003.1693814599.000001A494E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'0
Source: CF537GfmKa.exe, 00000000.00000003.1927003032.000001457FBD7000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000002.1927866977.000001457FBD7000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1926871152.000001457FBD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tasklist.exe, 00000004.00000003.1693814599.000001A494E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware
Source: CF537GfmKa.exe, 00000000.00000000.1690085887.00007FF7E163E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq LBd
Source: tasklist.exe, 00000004.00000002.1694250091.000001A4950D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmwareuser\G]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=!
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:11:26.031][MicrosoftEdgeUpdate:msedgeupdate][6164:6168][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=+
Source: tasklist.exe, 00000004.00000002.1694250091.000001A4950D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'Ab]
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:06:04.175][MicrosoftEdgeUpdate:msedgeupdate][8536:732][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=117.0.2045.47&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=9
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:09.866][MicrosoftEdgeUpdate:msedgeupdate][1336:8952][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.177.11&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=e*1
Source: CF537GfmKa.exe, 00000000.00000003.1903646139.0000014501B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:10:48.035][MicrosoftEdgeUpdate:msedgeupdate][4220:5516][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.72,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"92","AppRollout":0.65,"AppTargetVersionPrefix":"","AppVersion":"92.0.902.67","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.6,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: CF537GfmKa.exe, 00000000.00000003.1847274248.0000014501FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=A
Source: tasklist.exe, 00000004.00000002.1694119831.000001A494DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware"C:\Windows\system32\tasklist.exeWinsta0\Default

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\dbg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\AppV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\PCPKSP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys\4fbf593b24f129e7d8c9fc84ba6a1ac3_9e146be9-c76a-4720-bcdb-53011b87bd06 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventTranscript VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DRM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\DRM\Server VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Pending.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Connections VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Office VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Provisioning VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Provisioning\AssetCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00011.jtx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CF537GfmKa.exe	Queries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Code function: 0_2_00007FF7E162B7B8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E162B7B8

Source: C:\Users\user\Desktop\CF537GfmKa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CF537GfmKa.exe	67%	Virustotal		Browse
CF537GfmKa.exe	71%	ReversingLabs	Win64.Ransomware.FunkSec

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\CK3Wg2mN4T.exe	71%	ReversingLabs	Win64.Ransomware.FunkSec

Source	Detection	Scanner	Label
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe
https://getsession.org/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4.imgur.map.fastly.net	199.232.196.193	true	false		high
i.imgur.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://g.live.com/0CR%1/30	CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	CF537GfmKa.exe	false		high
https://g.live.com/odclientsettings/ProdV2.C:	CF537GfmKa.exe, 00000000.00000003.1905282842.0000014501686000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016EA000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016CB000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	CF537GfmKa.exe	false		high
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	CF537GfmKa.exe, 00000000.00000003.1854907203.0000014501FCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016FD000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1756212996.00000229433C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1733064682.0000022933351000.00000004.00000800.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp, CF537GfmKa.exe, 00000000.00000003.1909014710.0000014501671000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getsession.org/	CF537GfmKa.exe	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1756212996.00000229433C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.1733064682.0000022933C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000002.1733064682.0000022934666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1733064682.0000022934CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000008.00000002.1733064682.0000022934666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.imgur.com/HCYQoVR.jpeg	CF537GfmKa.exe	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.coinbase.com/)	CF537GfmKa.exe	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	CF537GfmKa.exe, 00000000.00000003.1905282842.00000145016A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1733064682.0000022933C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1733064682.0000022933578000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	CF537GfmKa.exe, 00000000.00000003.1881981187.0000014501FCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1733064682.0000022933351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.	CF537GfmKa.exe	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.blockchain.com/)	CF537GfmKa.exe	false		high
https://login.microsoftonline.com/common	CF537GfmKa.exe, 00000000.00000003.1902296321.0000014501DD0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.232.196.193	ipv4.imgur.map.fastly.net	United States		54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589527
Start date and time:	2025-01-12 18:46:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CF537GfmKa.exe renamed because original name is a hash value
Original Sample Name:	5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd.exe
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@21/157@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CF537GfmKa.exe, PID 6760 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:47:05	API Interceptor	34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.232.196.193	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse
	http://synthex.cheating.store/	Get hash	malicious	Unknown	Browse
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipv4.imgur.map.fastly.net	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse	199.232.196.193
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	199.232.196.193
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse	199.232.192.193
	http://synthex.cheating.store/	Get hash	malicious	Unknown	Browse	199.232.196.193
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	199.232.192.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	PDF-523.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	151.101.129.44
	http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.199.110.153
	https://adopt0098.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	199.232.196.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.196.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.196.193
	v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	199.232.196.193
	c2.hta	Get hash	malicious	Unknown	Browse	199.232.196.193
	E6wUHnV51P.exe	Get hash	malicious	DCRat	Browse	199.232.196.193
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	199.232.196.193
	c1.hta	Get hash	malicious	Unknown	Browse	199.232.196.193

Process:	C:\Users\user\Desktop\CF537GfmKa.exe
File Type:	data
Category:	dropped
Size (bytes):	249
Entropy (8bit):	7.235890435988568
Encrypted:	false
SSDEEP:	6:auDAOX74KRUDvJIFXnFIDs4KmihrTB/zE92SYz:XAOXknDh6nF+ziVB/zg2D
MD5:	C9E5B2A6B3ABB7C862DD3FF16B5FE7FE
SHA1:	8BF7A7B74EFA1F8BDE157F3D5B5B8BC3200F4438
SHA-256:	C4C79CD5465DF2A533D8D4BAECBEE06315906CA47D2D3ED554A1C8DD5BB4DD1B
SHA-512:	BF21AEC3AC3EC1126291565AE809C59B87A1DD2B0B8E5E7FACA6785921719369AD464F1F6AD2CD73D55932C426C50911106342216804D8FC0618AD39B12A17B5
Malicious:	true
Preview:	Lh...A&...rUQ.X..J..@.A.5......a,.....t.z...$!...[;..Rj.V.^1...M?<.h...n.K;i........f............~.......d..!O&R.Q.d{.l.........s..!){K..'.._.....Zk...M]a....xW..ZV.L.J.E......m...e33.a...p..H.k..EX..b.(6.+.K_!.+..m.....Q.. .#..G1+9c>B.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.240396435896552
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CF537GfmKa.exe
File size:	5'482'496 bytes
MD5:	834c7fd865eee5f7e17a3a1fb62e7051
SHA1:	0246696395c8514494435f645cdff034d70d0951
SHA256:	5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd
SHA512:	4245d2933935ef329c91d32b3ccf3719cd137ab90fbd4436a327f24c9825ca72a0b9ecdeafe6750f9290d8930fb472878c6780bed6f216412c96e457d1e804e1
SSDEEP:	49152:vNrjLXqz4aEXEMvTR4CY6C74bC6xxXjWe/l+XYq7p4BFt277t19sJpoc74P8TKWQ:OMvTRdxAG5/TuIx5f3
TLSH:	D6462922BB5A99ADC49AC0B083564B72697134CB0B35B9FF44C446783E6DAF42F3C758
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d.....{g.........."

Entrypoint:	0x14036b55c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677B011F [Sun Jan 5 22:01:03 2025 UTC]
TLS Callbacks:	0x40352510, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de46efa2ebc1886f978c8fb5ad471f48

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x508374	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x50e000	0x28d28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x537000	0x614c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x477a90	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x477b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x477950	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37e000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37c44f	0x37c600	3cdde8ad736cadc7039e4157f0c0fe4c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37e000	0x18bb00	0x18bc00	335d454e8d9a0d332e3231970c7ea839	False	0.26264781072331017	DIY-Thermocam raw data (Lepton 2.x), scale 10757-14400, spot sensor temperature 0.000000, unit celsius, color scheme 7, calibration: offset 512.000000, slope 3250994570218613914771524346183680.000000	5.394928298151681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50a000	0x3310	0x3200	e60990d6d7b6eb8bba2215cafa78a1ff	False	0.1609375	data	2.37717939628913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x50e000	0x28d28	0x28e00	4f7f16fc2ad7661ce5aa9b4bbc34086d	False	0.49999402714067276	data	6.413335908883142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x537000	0x614c	0x6200	e39eed23d057020af7ca276a61a11d9d	False	0.4321986607142857	data	5.452874903711012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
kernel32.dll	GetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SetHandleInformation, GetSystemTimeAsFileTime, InitializeSListHead, lstrlenW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, DuplicateHandle, CreateWaitableTimerExW
ws2_32.dll	send, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
user32.dll	SystemParametersInfoW
shell32.dll	SHGetKnownFolderPath
ole32.dll	CoTaskMemFree
advapi32.dll	RegOpenKeyExW, RegCloseKey, RegQueryValueExW, SystemFunction036
secur32.dll	AcquireCredentialsHandleA, DeleteSecurityContext, DecryptMessage, QueryContextAttributesW, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, ApplyControlToken, EncryptMessage, FreeCredentialsHandle
crypt32.dll	CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
ntdll.dll	NtCancelIoFileEx, NtCreateFile, NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	memcmp, __current_exception_context, memmove, __current_exception, memset, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll	roundf, pow, round, exp2f, truncf, ceil, powf, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:47:13.570919037 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:13.570971012 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:13.571052074 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:13.583720922 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:13.583739042 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.147083044 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.147186041 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.151223898 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.151233912 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.151655912 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.206774950 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.212649107 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.255321980 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.314896107 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315089941 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315165043 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315212965 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.315223932 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315273046 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.315279961 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315613031 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.315684080 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.315690994 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.316237926 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.316306114 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.316312075 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.316382885 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.316431999 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.316437960 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.329014063 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.329073906 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.329081059 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.378618956 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.402165890 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402364016 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402432919 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.402447939 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402532101 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402592897 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.402605057 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402698994 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402757883 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.402770042 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402930975 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.402985096 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.402997017 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.403134108 CET	443	49730	199.232.196.193	192.168.2.4
Jan 12, 2025 18:47:14.403193951 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.403445005 CET	49730	443	192.168.2.4	199.232.196.193
Jan 12, 2025 18:47:14.403460026 CET	443	49730	199.232.196.193	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:47:13.558760881 CET	49912	53	192.168.2.4	1.1.1.1
Jan 12, 2025 18:47:13.566344023 CET	53	49912	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-12 17:47:14 UTC	62	OUT	GET /HCYQoVR.jpeg HTTP/1.1 accept: / host: i.imgur.com
2025-01-12 17:47:14 UTC	763	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28864 Content-Type: image/jpeg Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT ETag: "70f83e99427ac54b92283eaecb69c5df" x-amz-server-side-encryption: AES256 X-Amz-Cf-Pop: IAD89-P1 X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA== cache-control: public, max-age=31536000 Accept-Ranges: bytes Age: 1068597 Date: Sun, 12 Jan 2025 17:47:14 GMT X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740076-EWR X-Cache: Miss from cloudfront, HIT, MISS X-Cache-Hits: 85, 0 X-Timer: S1736704034.259108,VS0,VE7 Strict-Transport-Security: max-age=300 Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Server: cat factory 1.0 X-Content-Type-Options: nosniff
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93 Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4 Data Ascii: UCt5?=g:25eVbyi:pm=SV<OC\|4jN1o?PjsyOsj<PW^V-vk.2K"Dt%J]Uxj]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39 Data Ascii: N{/^R#]jg'Jq_WmWqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~cm/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77 Data Ascii: ]/%Zy} A^CEu6[4$TY26e;2m=j-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=XJ:Wiq&`{UG!>CjqO&JW-4VFeU{]]cdXTn<w
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66 Data Ascii: .$u-GxpJRV8 ;ISIBfVYY/qbc.9Pz\|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;\|9^.ne1+&VJ>__"r,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15 Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71 Data Ascii: a1S'iYeKTD3"R6>=!<\|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju']:yn-u724_dfFFzf"%X02Y\q
2025-01-12 17:47:14 UTC	1371	IN	Data Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3 Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,\|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od

Target ID:	0
Start time:	12:47:02
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\CF537GfmKa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CF537GfmKa.exe"
Imagebase:	0x7ff7e12c0000
File size:	5'482'496 bytes
MD5 hash:	834C7FD865EEE5F7E17A3A1FB62E7051
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	12:47:03
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	12:47:07
Start date:	12/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CF537GfmKa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.funksec

Windows Analysis Report
CF537GfmKa.exe

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre