Edit tour

Windows Analysis Report
rZU3xTxOnl.exe

Overview

General Information

Sample name:	rZU3xTxOnl.exe renamed because original name is a hash value
Original sample name:	e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22.exe
Analysis ID:	1589532
MD5:	039f85a7670428430274476cbe733db4
SHA1:	f78a6b537244b544dc75a07bdbc7eda6ca15699e
SHA256:	e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22
Tags:	exefunklockerfunksecransomwareRustyStealeruser-TheRavenFile
Infos:

Detection

FunkLocker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FunkLocker Ransomware

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates files in the recycle bin to hide itself

Disables Windows Defender (via service or powershell)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Sigma detected: Disable of ETW Trace

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Classification

Process Tree

System is w10x64

rZU3xTxOnl.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\rZU3xTxOnl.exe" MD5: 039F85A7670428430274476CBE733DB4)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7872 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7896 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

tasklist.exe (PID: 7916 cmdline: "tasklist" /fi "IMAGENAME eq vmware" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

powershell.exe (PID: 7944 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 432 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7952 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 1992 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7972 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 1988 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7992 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: rZU3xTxOnl.exe PID: 7768	JoeSecurity_funklocker	Yara detected FunkLocker Ransomware	Joe Security

Sigma Signatures

System Summary

Sigma detected: Disable of ETW Trace

Source: Process started

Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rZU3xTxOnl.exe", ParentImage: C:\Users\user\Desktop\rZU3xTxOnl.exe, ParentProcessId: 7768, ParentProcessName: rZU3xTxOnl.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 7952, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rZU3xTxOnl.exe", ParentImage: C:\Users\user\Desktop\rZU3xTxOnl.exe, ParentProcessId: 7768, ParentProcessName: rZU3xTxOnl.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7944, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Source: Process started

Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Application /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7972, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, ProcessId: 1988, ProcessName: wevtutil.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rZU3xTxOnl.exe", ParentImage: C:\Users\user\Desktop\rZU3xTxOnl.exe, ParentProcessId: 7768, ParentProcessName: rZU3xTxOnl.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 7992, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rZU3xTxOnl.exe", ParentImage: C:\Users\user\Desktop\rZU3xTxOnl.exe, ParentProcessId: 7768, ParentProcessName: rZU3xTxOnl.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7944, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows\System32\VvD5lMoAcR.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: rZU3xTxOnl.exe	Virustotal: Detection: 63%			Perma Link
Source: rZU3xTxOnl.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.8:49705 version: TLS 1.2

Source: rZU3xTxOnl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: dev.pdbw source: rZU3xTxOnl.exe
Source:	Binary string: dev.pdb source: rZU3xTxOnl.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.8:52394 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: Joe Sandbox View

IP Address: 199.232.192.193 199.232.192.193

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: global traffic

DNS traffic detected: DNS query: i.imgur.com

Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: powershell.exe, 00000009.00000002.1499514079.000002275C5D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E5474D8000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E5474D8000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E5474D8000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E54750C000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E547481000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E547510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.live.com/0CR%1/30
Source: rZU3xTxOnl.exe	String found in binary or memory: http://ns.adobe.
Source: powershell.exe, 00000009.00000002.1471258004.0000022745A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
Source: powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1471258004.00000227449C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1471258004.0000022744091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1471258004.00000227449C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: powershell.exe, 00000009.00000002.1471258004.0000022744091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1471258004.00000227451C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.1471258004.00000227456B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp0
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E547533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: rZU3xTxOnl.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474A6000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E547442000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1625324685.000001E5474A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E5474B8000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1625324685.000001E547437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: rZU3xTxOnl.exe	String found in binary or memory: https://getsession.org/
Source: powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1471258004.00000227456B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: rZU3xTxOnl.exe	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpegtO8
Source: rZU3xTxOnl.exe, 00000000.00000000.1413326488.00007FF7B16DB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpegtOn
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m-vnext.sqlazurelabs.com/
Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000009.00000002.1471258004.0000022745A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E54754B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: rZU3xTxOnl.exe	String found in binary or memory: https://www.blockchain.com/)
Source: rZU3xTxOnl.exe	String found in binary or memory: https://www.coinbase.com/)
Source: rZU3xTxOnl.exe	String found in binary or memory: https://www.torproject.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.8:49705 version: TLS 1.2

Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_e7147c53-8

Spam, unwanted Advertisements and Ransom Demands

Yara detected FunkLocker Ransomware

Source: Yara match

File source: Process Memory Space: rZU3xTxOnl.exe PID: 7768, type: MEMORYSTR

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File created: C:\Windows\System32\VvD5lMoAcR.exe			Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File created: C:\Windows\System32\VvD5lMoAcR.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547FDF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameIntegrator.exeB vs rZU3xTxOnl.exe

Source: rZU3xTxOnl.exe	Binary string: Failed to open \Device\Afd\Mio:
Source: rZU3xTxOnl.exe	Binary string: 0\Device\Afd\Mio

Source: rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectClass
Source: rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectsClass

Source: classification engine

Classification label: mal100.rans.evad.winEXE@21/163@1/1

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File created: C:\Users\user\Desktop\README-jbiEF8FBed.md

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av0epsea.f1l.ps1

Jump to behavior

Source: rZU3xTxOnl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547BE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE SchemaVersions(schema_id INTEGER PRIMARY KEY NOT NULL, SchemaVersion INTEGER NOT NULL, GitSHA1 TEXT NOT NULL , UNIQUE (SchemaVersion, GitSHA1));
Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: rZU3xTxOnl.exe	Virustotal: Detection: 63%
Source: rZU3xTxOnl.exe	ReversingLabs: Detection: 68%

Source: rZU3xTxOnl.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File read: C:\Users\user\Desktop\rZU3xTxOnl.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rZU3xTxOnl.exe "C:\Users\user\Desktop\rZU3xTxOnl.exe"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\net.exe "net" session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rZU3xTxOnl.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rZU3xTxOnl.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: rZU3xTxOnl.exe

Static file information: File size 5472768 > 1048576

Source: rZU3xTxOnl.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37a000
Source: rZU3xTxOnl.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18bc00

Source: rZU3xTxOnl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: rZU3xTxOnl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dev.pdbw source: rZU3xTxOnl.exe
Source:	Binary string: dev.pdb source: rZU3xTxOnl.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File created: C:\Windows\System32\VvD5lMoAcR.exe

Jump to dropped file

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File created: C:\Windows\System32\VvD5lMoAcR.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7680	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1811	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1624	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1508	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7967	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1652	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 7680 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 1811 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 1624 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 1508 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 182 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 7967 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 1652 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: rZU3xTxOnl.exe	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq \e8@
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=/
Source: tasklist.exe, 00000005.00000003.1418338245.00000263767D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000005.00000003.1418140185.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000005.00000002.1419116432.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMAGENAME eq vmware
Source: rZU3xTxOnl.exe, 00000000.00000000.1413326488.00007FF7B16DB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq \en
Source: tasklist.exe, 00000005.00000002.1419116432.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'0t
Source: tasklist.exe, 00000005.00000002.1419204462.00000263769D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'Eq
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eeKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=/
Source: rZU3xTxOnl.exe	Binary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=/
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ePXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=/
Source: tasklist.exe, 00000005.00000002.1419116432.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
Source: tasklist.exe, 00000005.00000002.1419116432.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'\|vc
Source: tasklist.exe, 00000005.00000002.1418995841.0000026376780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tasklist" /fi "IMAGENAME eq vmware"
Source: rZU3xTxOnl.exe, 00000000.00000003.1649584436.000001E545B56000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000002.1650227062.000001E545B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/05/23 09:00:55.304][MicrosoftEdgeUpdate:msedgeupdate][8164:8148][DllEntry]["C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDI1MUFGM0ItQkIzNS00RDJELThFOTYtMTk2NTU1QzVGOTRCfSIgdXNlcmlkPSJ7NTQ1Q0Y0MjgtNTk4RS00OEU5LThCRkItQzk3REVFN0QzNTU4fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4MTlGNTQ4Ny05MThDLTRFNkQtQTZGMC0yQ0FCRTIxRTI4Rjh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjIwMDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IkNIIiBvc19yZWdpb25fbmF0aW9uPSIyMjMiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlZNd2FyZSwgSW5jLiIgcHJvZHVjdF9uYW1lPSJWTXdhcmUyMCwxIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTc3LjExIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC4yNCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjExOSIgcGluZ19mcmVzaG5lc3M9Ins0OUY1OTRFMy01OUQ0LTRENzctOUJDRC1DREM4QjY2QkNGRTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjExNy4wLjIwNDUuNDciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgY29ob3J0PSJycmZAMC4wNyIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjExOSIgcmQ9IjYxMTkiIHBpbmdfZnJlc2huZXNzPSJ7MTA2QzQwREUtNUU4Ni00N0E3LUJFMzMtRUJFOTRGMTRBMzhGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMTcuMC4yMDQ1LjQ3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGU9IjYxMTgiIGNvaG9ydD0icnJmQDAuNzUiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjYxMTkiIHBpbmdfZnJlc2huZXNzPSJ7RTJFMzhFMzMtREEyOS00MkZGLThFOTEtNkYwRkE4MkQ4MUVFfSIvPjwvYXBwPjwvcmVxdWVzdD4]
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=!
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:11:26.031][MicrosoftEdgeUpdate:msedgeupdate][6164:6168][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: tasklist.exe, 00000005.00000002.1419116432.00000263767BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware2@_
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/05/23 09:00:55.319][MicrosoftEdgeUpdate:msedgeupdate][8164:8148][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_stable=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_stable=4&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_stable=rrf@0.07&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_stable=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_stable=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_stable=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_stable=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_stable=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=86400&appInstallTimeDiffSec_stable=0&appInstallTimeDiffSec_webview=86400&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_stable=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_stable=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_stable=0&appLastLaunchTimeJson_stable=0&appLastLaunchTimeDaysAgo_stable=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_stable=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_stable=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_stable=117.0.2045.47&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=+
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:06:04.175][MicrosoftEdgeUpdate:msedgeupdate][8536:732][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=117.0.2045.47&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=9
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=e*1
Source: tasklist.exe, 00000005.00000002.1419186136.00000263767D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
Source: tasklist.exe, 00000005.00000002.1419204462.00000263769D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: > WHERE Caption = 'VMWARE'2\Wbem;C:\Windows\System32\WindowsPoerShell
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/05/23 09:00:54.241][MicrosoftEdgeUpdate:msedgeupdate][7476:8116][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"rrf@0.24","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.24,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.64,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"rrf@0.75","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.75,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: tasklist.exe, 00000005.00000002.1419204462.00000263769D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasklist/fiIMAGENAME eq vmware\UsersS
Source: rZU3xTxOnl.exe, 00000000.00000003.1649090351.000001E547982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:10:48.035][MicrosoftEdgeUpdate:msedgeupdate][4220:5516][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.72,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"92","AppRollout":0.65,"AppTargetVersionPrefix":"","AppVersion":"92.0.902.67","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.6,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=A
Source: tasklist.exe, 00000005.00000002.1418995841.0000026376780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware"C:\Windows\system32\tasklist.exeWinsta0\Default[
Source: rZU3xTxOnl.exe, 00000000.00000003.1566788366.000001E547C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eA8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=/

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\dbg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\AppV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.dat.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\DSS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\Keys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\PCPKSP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\SystemKeys\4fbf593b24f129e7d8c9fc84ba6a1ac3_9e146be9-c76a-4720-bcdb-53011b87bd06 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7e1cd04ad2694f1d89fd94ad5005a8e2-a696c450-a52d-45b4-844d-bb5b45de5f0c-7607.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7e1cd04ad2694f1d89fd94ad5005a8e2-a696c450-a52d-45b4-844d-bb5b45de5f0c-7607.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7e1cd04ad2694f1d89fd94ad5005a8e2-a696c450-a52d-45b4-844d-bb5b45de5f0c-7607.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventTranscript VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Sideload VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Siufloc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\DRM\Server VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\MapData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rZU3xTxOnl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Code function: 0_2_00007FF7B16C9148 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7B16C9148

Source: C:\Users\user\Desktop\rZU3xTxOnl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	21 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rZU3xTxOnl.exe	64%	Virustotal		Browse
rZU3xTxOnl.exe	68%	ReversingLabs	Win64.Ransomware.FunkSec

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\VvD5lMoAcR.exe	68%	ReversingLabs	Win64.Ransomware.FunkSec

Source	Detection	Scanner	Label
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	0%	Avira URL Cloud	safe
https://getsession.org/	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4.imgur.map.fastly.net	199.232.192.193	true	false		high
i.imgur.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft	powershell.exe, 00000009.00000002.1499514079.000002275C5D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.imgur.com/HCYQoVR.jpegtO8	rZU3xTxOnl.exe	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://g.live.com/0CR%1/30	rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	rZU3xTxOnl.exe	false		high
https://g.live.com/odclientsettings/ProdV2.C:	rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	rZU3xTxOnl.exe	false		high
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	rZU3xTxOnl.exe, 00000000.00000003.1573889769.000001E547BE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474A6000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E547442000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1471258004.0000022745A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1471258004.0000022744091000.00000004.00000800.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getsession.org/	rZU3xTxOnl.exe	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/HCYQoVR.jpegtOn	rZU3xTxOnl.exe, 00000000.00000000.1413326488.00007FF7B16DB000.00000002.00000001.01000000.00000003.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1471258004.0000022745A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000009.00000002.1471258004.00000227451C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1471258004.00000227449C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000009.00000002.1471258004.00000227456B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1493884811.0000022754104000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2/C:	rZU3xTxOnl.exe, 00000000.00000003.1629950647.000001E5474B8000.00000004.00000020.00020000.00000000.sdmp, rZU3xTxOnl.exe, 00000000.00000003.1625324685.000001E547437000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	rZU3xTxOnl.exe, 00000000.00000003.1625324685.000001E5474A9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.coinbase.com/)	rZU3xTxOnl.exe	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	rZU3xTxOnl.exe, 00000000.00000003.1626680514.000001E5474F6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.1471258004.00000227442B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1471258004.00000227449C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	rZU3xTxOnl.exe, 00000000.00000003.1600554641.000001E547BEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.1471258004.0000022744091000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.	rZU3xTxOnl.exe	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp0	powershell.exe, 00000009.00000002.1471258004.00000227456B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.blockchain.com/)	rZU3xTxOnl.exe	false		high
https://login.microsoftonline.com/common	rZU3xTxOnl.exe, 00000000.00000003.1622663577.000001E5479F0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.232.192.193	ipv4.imgur.map.fastly.net	United States		54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589532
Start date and time:	2025-01-12 18:49:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rZU3xTxOnl.exe renamed because original name is a hash value
Original Sample Name:	e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22.exe
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@21/163@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7992 because it is empty
Execution Graph export aborted for target rZU3xTxOnl.exe, PID 7768 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:50:11	API Interceptor	51x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.232.192.193	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipv4.imgur.map.fastly.net	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse	199.232.196.193
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	199.232.196.193
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse	199.232.192.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	PDF-523.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse	199.232.192.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	199.232.192.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	199.232.192.193
	c2.hta	Get hash	malicious	Unknown	Browse	199.232.192.193

Process:	C:\Users\user\Desktop\rZU3xTxOnl.exe
File Type:	data
Category:	dropped
Size (bytes):	249
Entropy (8bit):	7.166475927895621
Encrypted:	false
SSDEEP:	3:6yT35eMbFrWumgSlrwFfvmdbO185K89W3iygjZP8PCNIgtyIJxkqWo92wPKeNFpN:6AFrpL5h5CW3iFjZ0PKIgtyIBpKePp1H
MD5:	F763562CCFD2C3BF6C8097201E0C260B
SHA1:	02641C35EC3806A04F2913001F05AC2EC62C6212
SHA-256:	901DA0B91EEA547D114A87533DCFE66ABA0386452BD29DD799E51704823C48C4
SHA-512:	AE10632EED0F6C460774A72E826DE27C3F2317EDBFDADE53BB82EF3649245749E93976D40E3F8960385C2E05695DBE3D8236DA761B8D649DDC2D26CB12A4C83A
Malicious:	true
Preview:	.X!Vc@lKpc..};tO>`._zt3.[<.?.7.....>.m.U`..O.m.I..N=..5c.. .....d.<....e!EL......-C ..&.k.F.m......*L?....N.%...c..W...dp.;..fv1l..d.......M.....)Z.6]e9.}B{.8E.k..aI..^(.S..(..(..1...%.8............7@.8..h..o..Gu#...7...HD.Y.G<!Wh..]vs...

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.243995355509541
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rZU3xTxOnl.exe
File size:	5'472'768 bytes
MD5:	039f85a7670428430274476cbe733db4
SHA1:	f78a6b537244b544dc75a07bdbc7eda6ca15699e
SHA256:	e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22
SHA512:	9a7b8de0deb8921800d11e8883db3ada603c94a1fcedb161ca33188121522ac914d0f654f39b77723f4486f59776c8df4fff191a0fa0ef0d775bc93ab0b12eb9
SSDEEP:	49152:1IfGg/Y7M7n25Zh990ZRKAYm7JwS6H+3buIwrvYqX1+TjOS4SSOFApPITHJoy/SV:lM7nZNF7as4QWh6QJO9xu
TLSH:	1A462922BB5A99ADC89AC0B083564B72297134CB0B3579FF45C446783E6DAF42F3C758
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d.....zg.........."

Entrypoint:	0x140368eec
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677AFD81 [Sun Jan 5 21:45:37 2025 UTC]
TLS Callbacks:	0x4034fea0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	243a1608a8fa57ca30e52a00bd498408

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50545c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x50b000	0x28dc4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x534000	0x611c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x474950	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x474a00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x474810	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37b000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x379faf	0x37a000	c2d58fe6942cb10a4d3fc8e22a8bb274	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37b000	0x18bbe8	0x18bc00	83033227e93583087cf37c45498084bc	False	0.262551573357549	data	5.395305803402578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x507000	0x3310	0x3200	03d674805efe7778627a8427b9d46757	False	0.16109375	data	2.383083967968346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x50b000	0x28dc4	0x28e00	096b6839d83c16fbd3b4eaa90f314a11	False	0.5011647075688074	data	6.4191045102920175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x534000	0x611c	0x6200	60992eb86a779bc458193fa0cdc29c3a	False	0.4290098852040816	data	5.454528015431207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
kernel32.dll	GetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SetHandleInformation, GetSystemTimeAsFileTime, InitializeSListHead, lstrlenW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, DuplicateHandle, CreateWaitableTimerExW
ws2_32.dll	send, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
user32.dll	SystemParametersInfoW
shell32.dll	SHGetKnownFolderPath
ole32.dll	CoTaskMemFree
advapi32.dll	RegOpenKeyExW, RegQueryValueExW, RegCloseKey, SystemFunction036
secur32.dll	AcquireCredentialsHandleA, DeleteSecurityContext, DecryptMessage, QueryContextAttributesW, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, ApplyControlToken, EncryptMessage, FreeCredentialsHandle
crypt32.dll	CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
ntdll.dll	NtCancelIoFileEx, NtCreateFile, NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	memcmp, __current_exception_context, memmove, __current_exception, memset, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll	powf, pow, round, roundf, truncf, ceil, exp2f, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:50:19.708713055 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:19.708755970 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:19.708811998 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:19.720037937 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:19.720058918 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.286555052 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.286619902 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.289010048 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.289016962 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.289323092 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.340639114 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.345468998 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.387337923 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442154884 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442209005 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442229033 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442276955 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.442287922 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442298889 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442348957 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.442759037 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.442800999 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.442810059 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.443051100 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.443072081 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.443095922 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.443103075 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.443109989 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.443135977 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.455709934 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.455759048 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.455766916 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.496872902 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.496882915 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529407024 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529439926 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529479027 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529498100 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529515028 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.529525042 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.529557943 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.529570103 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.529572964 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.530230999 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.530263901 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.530284882 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.530292988 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.530332088 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.530344963 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:20.530389071 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.530872107 CET	49705	443	192.168.2.8	199.232.192.193
Jan 12, 2025 18:50:20.530885935 CET	443	49705	199.232.192.193	192.168.2.8
Jan 12, 2025 18:50:52.176639080 CET	52394	53	192.168.2.8	162.159.36.2
Jan 12, 2025 18:50:52.181461096 CET	53	52394	162.159.36.2	192.168.2.8
Jan 12, 2025 18:50:52.181535959 CET	52394	53	192.168.2.8	162.159.36.2
Jan 12, 2025 18:50:52.186431885 CET	53	52394	162.159.36.2	192.168.2.8
Jan 12, 2025 18:50:52.658704996 CET	52394	53	192.168.2.8	162.159.36.2
Jan 12, 2025 18:50:52.663695097 CET	53	52394	162.159.36.2	192.168.2.8
Jan 12, 2025 18:50:52.663752079 CET	52394	53	192.168.2.8	162.159.36.2

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:50:19.695416927 CET	65417	53	192.168.2.8	1.1.1.1
Jan 12, 2025 18:50:19.705315113 CET	53	65417	1.1.1.1	192.168.2.8
Jan 12, 2025 18:50:52.176136017 CET	53	61376	162.159.36.2	192.168.2.8
Jan 12, 2025 18:50:52.920397043 CET	53	49491	1.1.1.1	192.168.2.8

Timestamp	Bytes transferred	Direction	Data
2025-01-12 17:50:20 UTC	62	OUT	GET /HCYQoVR.jpeg HTTP/1.1 accept: / host: i.imgur.com
2025-01-12 17:50:20 UTC	762	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28864 Content-Type: image/jpeg Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT ETag: "70f83e99427ac54b92283eaecb69c5df" x-amz-server-side-encryption: AES256 X-Amz-Cf-Pop: IAD89-P1 X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA== cache-control: public, max-age=31536000 Accept-Ranges: bytes Date: Sun, 12 Jan 2025 17:50:20 GMT Age: 1068783 X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740073-EWR X-Cache: Miss from cloudfront, HIT, HIT X-Cache-Hits: 85, 1 X-Timer: S1736704220.391462,VS0,VE1 Strict-Transport-Security: max-age=300 Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Server: cat factory 1.0 X-Content-Type-Options: nosniff
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93 Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4 Data Ascii: UCt5?=g:25eVbyi:pm=SV<OC\|4jN1o?PjsyOsj<PW^V-vk.2K"Dt%J]Uxj]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39 Data Ascii: N{/^R#]jg'Jq_WmWqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~cm/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77 Data Ascii: ]/%Zy} A^CEu6[4$TY26e;2m=j-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=XJ:Wiq&`{UG!>CjqO&JW-4VFeU{]]cdXTn<w
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66 Data Ascii: .$u-GxpJRV8 ;ISIBfVYY/qbc.9Pz\|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;\|9^.ne1+&VJ>__"r,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15 Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71 Data Ascii: a1S'iYeKTD3"R6>=!<\|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju']:yn-u724_dfFFzf"%X02Y\q
2025-01-12 17:50:20 UTC	1371	IN	Data Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3 Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,\|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od

Target ID:	0
Start time:	12:50:08
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\rZU3xTxOnl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rZU3xTxOnl.exe"
Imagebase:	0x7ff7b1360000
File size:	5'472'768 bytes
MD5 hash:	039F85A7670428430274476CBE733DB4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	12:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	12:50:15
Start date:	12/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rZU3xTxOnl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\VirtualRegistry.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\MasterDescriptor.en-us.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\stream.x86.en-us.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\operations.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\MasterDescriptor.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\stream.x86.x-none.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.funksec

Windows Analysis Report
rZU3xTxOnl.exe

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre