Edit tour

Windows Analysis Report
xRdfz79jMR.exe

Overview

General Information

Sample name:	xRdfz79jMR.exe renamed because original name is a hash value
Original sample name:	dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966.exe
Analysis ID:	1589533
MD5:	ca8ff8fb255a47d4be94af4ee3327c07
SHA1:	4c0c4941a31f9e45b422704a18fdfb44c2c1c4fa
SHA256:	dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966
Tags:	exefunklockerfunksecransomwareuser-TheRavenFile
Infos:

Detection

FunkLocker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FunkLocker Ransomware

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Disables Windows Defender (via service or powershell)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Sigma detected: Disable of ETW Trace

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xRdfz79jMR.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\xRdfz79jMR.exe" MD5: CA8FF8FB255A47D4BE94AF4EE3327C07)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7380 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7396 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

powershell.exe (PID: 7412 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7908 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7420 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 7840 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7432 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)

wevtutil.exe (PID: 7848 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)

powershell.exe (PID: 7452 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: xRdfz79jMR.exe PID: 7312	JoeSecurity_funklocker	Yara detected FunkLocker Ransomware	Joe Security

Sigma Signatures

System Summary

Sigma detected: Disable of ETW Trace

Source: Process started

Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xRdfz79jMR.exe", ParentImage: C:\Users\user\Desktop\xRdfz79jMR.exe, ParentProcessId: 7312, ParentProcessName: xRdfz79jMR.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xRdfz79jMR.exe", ParentImage: C:\Users\user\Desktop\xRdfz79jMR.exe, ParentProcessId: 7312, ParentProcessName: xRdfz79jMR.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7412, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Suspicious Eventlog Clear or Configuration Change

Source: Process started

Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7420, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Security /e:false, ProcessId: 7840, ProcessName: wevtutil.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xRdfz79jMR.exe", ParentImage: C:\Users\user\Desktop\xRdfz79jMR.exe, ParentProcessId: 7312, ParentProcessName: xRdfz79jMR.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 7452, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xRdfz79jMR.exe", ParentImage: C:\Users\user\Desktop\xRdfz79jMR.exe, ParentProcessId: 7312, ParentProcessName: xRdfz79jMR.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 7412, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows\System32\75g4T9DLiA.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: xRdfz79jMR.exe	ReversingLabs: Detection: 65%
Source: xRdfz79jMR.exe	Virustotal: Detection: 59%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.4% probability

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: xRdfz79jMR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: dev.pdbw source: xRdfz79jMR.exe
Source:	Binary string: dev.pdb source: xRdfz79jMR.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: Joe Sandbox View

IP Address: 199.232.192.193 199.232.192.193

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com

Source: global traffic

DNS traffic detected: DNS query: i.imgur.com

Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144407000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D1444C2000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14448E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14448E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14448E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144407000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D1444C2000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14448E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144407000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D1444C2000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14448E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D1444C2000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D14443C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.live.com/0CR%1/30
Source: xRdfz79jMR.exe	String found in binary or memory: http://ns.adobe.
Source: powershell.exe, 00000007.00000002.1756883927.0000025B44193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B435CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B435CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1756883927.0000025B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1796496220.0000025B5AB93000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: xRdfz79jMR.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14446E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14446E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144492000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: xRdfz79jMR.exe	String found in binary or memory: https://getsession.org/
Source: powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: xRdfz79jMR.exe	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
Source: xRdfz79jMR.exe	String found in binary or memory: https://i.imgur.com/HCYQoVR.jpegx
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m-vnext.sqlazurelabs.com/
Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000007.00000002.1756883927.0000025B44193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14446E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: xRdfz79jMR.exe	String found in binary or memory: https://www.blockchain.com/)
Source: xRdfz79jMR.exe	String found in binary or memory: https://www.coinbase.com/)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_081c37c3-8

Spam, unwanted Advertisements and Ransom Demands

Yara detected FunkLocker Ransomware

Source: Yara match

File source: Process Memory Space: xRdfz79jMR.exe PID: 7312, type: MEMORYSTR

Deletes shadow drive data (may be related to ransomware)

Source: xRdfz79jMR.exe, 00000000.00000002.1855117296.00007FF6D33BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
Source: xRdfz79jMR.exe, 00000000.00000000.1683441841.00007FF6D33BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
Source: xRdfz79jMR.exe	Binary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File created: C:\Windows\System32\75g4T9DLiA.exe			Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File created: C:\Windows\System32\75g4T9DLiA.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D144BD7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameIntegrator.exeB vs xRdfz79jMR.exe

Source: xRdfz79jMR.exe	Binary string: Failed to open \Device\Afd\Mio: P
Source: xRdfz79jMR.exe	Binary string: 0\Device\Afd\Mio

Source: xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectClass
Source: xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.Vbe.Interop.VBProjectsClass

Source: classification engine

Classification label: mal100.rans.evad.winEXE@19/157@1/1

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File created: C:\Users\user\Desktop\README-A8XMD6DR7G.md

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjxcsf2z.1pl.ps1

Jump to behavior

Source: xRdfz79jMR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D1447EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE SchemaVersions(schema_id INTEGER PRIMARY KEY NOT NULL, SchemaVersion INTEGER NOT NULL, GitSHA1 TEXT NOT NULL , UNIQUE (SchemaVersion, GitSHA1));
Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: xRdfz79jMR.exe	ReversingLabs: Detection: 65%
Source: xRdfz79jMR.exe	Virustotal: Detection: 59%

Source: xRdfz79jMR.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of blockH

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File read: C:\Users\user\Desktop\xRdfz79jMR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xRdfz79jMR.exe "C:\Users\user\Desktop\xRdfz79jMR.exe"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\net.exe "net" session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: xRdfz79jMR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xRdfz79jMR.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xRdfz79jMR.exe

Static file information: File size 5479936 > 1048576

Source: xRdfz79jMR.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37be00
Source: xRdfz79jMR.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18ba00

Source: xRdfz79jMR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: xRdfz79jMR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dev.pdbw source: xRdfz79jMR.exe
Source:	Binary string: dev.pdb source: xRdfz79jMR.exe
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_00007FFD9B7D00AD pushad ; iretd

7_2_00007FFD9B7D00C1

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File created: C:\Windows\System32\75g4T9DLiA.exe

Jump to dropped file

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File created: C:\Windows\System32\75g4T9DLiA.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2584	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1300	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1154	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6032	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1438	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep count: 6915 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep count: 2584 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep count: 1300 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 6032 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 1438 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior

Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=/
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lwKk1x5+9NJD0oC1Sm0PchOiV+3spsDahFOwVMcIA7E=!
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:11:26.031][MicrosoftEdgeUpdate:msedgeupdate][6164:6168][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=+
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:22.600][MicrosoftEdgeUpdate:msedgeupdate][3356:4472][Send][url=https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/latest?action=select][request={"targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.96,"AppTargetVersionPrefix":"","AppVersion":"1.3.147.37","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"core","IsInternalUser":false,"IsMachine":true,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.147.37"}}][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eeKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=/
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:06:04.175][MicrosoftEdgeUpdate:msedgeupdate][8536:732][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=117.0.2045.47&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=9
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:35.318][MicrosoftEdgeUpdate:msedgeupdate][4092:4100][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_stable=INBX&appChannel_stable=4&appConsentState_stable=0&appDayOfInstall_stable=0&appInstallTimeDiffSec_stable=0&appLastLaunchTime_stable=0&appUpdateCheckIsUpdateDisabled_stable=false&appVersion_stable=92.0.902.67&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osPlatform=win&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.147.37][request=][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:09.866][MicrosoftEdgeUpdate:msedgeupdate][1336:8952][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.177.11&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enHfHDfN6bsbeT8o/5kyYSl66SsuWvyQeMuXDlHbQfqo=/
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ePXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=/
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:10.568][MicrosoftEdgeUpdate:msedgeupdate][4796:8636][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"","AppRollout":0.63,"AppTargetVersionPrefix":"","AppVersion":"","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"otherinstallcmd","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":10,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: operations.db.funksec.0.dr	Binary or memory string: xQemu
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A8eXZTvg7YGvCcJUzyxbHGFSKXp/UmDdgVxDyBqqswI=e*1
Source: xRdfz79jMR.exe, 00000000.00000003.1758861257.000001D14481A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eKcxqaYUpQemuF/g4XeY+/GN/5r9nu6fcwnr/bvuY4c=A
Source: xRdfz79jMR.exe, 00000000.00000003.1829991359.000001D144353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:10:48.035][MicrosoftEdgeUpdate:msedgeupdate][4220:5516][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.72,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"92","AppRollout":0.65,"AppTargetVersionPrefix":"","AppVersion":"92.0.902.67","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.6,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: xRdfz79jMR.exe, 00000000.00000003.1853691792.000001D142433000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1853039231.000001D142425000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1853392031.000001D142425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"			Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\net.exe "net" session	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false	Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\.curlrc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\dbg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\AppV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\s321033.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\i320.c2rx.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\s320.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\UserData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64mui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.publishermui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\DSS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Crypto\PCPKSP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\TELEMETRY.ASM-WINDOWSSQ.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-7005b72804a64fa4b2138faab88f877b-14cf798a-05a4-4b7b-9d02-4d99259ebd4a-7553.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\EventTranscript VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\osver.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\parse.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Siufloc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\DRM\Server VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\MapData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Pending.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\MF\Pending.GRL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\NetFramework VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xRdfz79jMR.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

Code function: 0_2_00007FF6D33AAF18 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D33AAF18

Source: C:\Users\user\Desktop\xRdfz79jMR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xRdfz79jMR.exe	66%	ReversingLabs	Win64.Ransomware.Funksec
xRdfz79jMR.exe	60%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\75g4T9DLiA.exe	66%	ReversingLabs	Win64.Ransomware.Funksec

Source	Detection	Scanner	Label
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	0%	Avira URL Cloud	safe
http://ns.adobe.	0%	Avira URL Cloud	safe
https://getsession.org/	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipv4.imgur.map.fastly.net	199.232.192.193	true	false		high
i.imgur.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://g.live.com/0CR%1/30	xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	xRdfz79jMR.exe	false		high
https://g.live.com/odclientsettings/ProdV2.C:	xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144492000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata	xRdfz79jMR.exe, 00000000.00000003.1773989083.000001D1447F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D144509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14446E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.1756883927.0000025B44193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.1756883927.0000025B42821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp, xRdfz79jMR.exe, 00000000.00000003.1835125151.000001D14446E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getsession.org/	xRdfz79jMR.exe	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/HCYQoVR.jpegx	xRdfz79jMR.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.1756883927.0000025B44193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000007.00000002.1756883927.0000025B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1796496220.0000025B5AB93000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B435CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.1791403792.0000025B52895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000007.00000002.1756883927.0000025B43E49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.imgur.com/HCYQoVR.jpeg	xRdfz79jMR.exe	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.coinbase.com/)	xRdfz79jMR.exe	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	xRdfz79jMR.exe, 00000000.00000003.1832189684.000001D1444B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.1756883927.0000025B42A48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1756883927.0000025B435CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	xRdfz79jMR.exe, 00000000.00000003.1803571734.000001D1447E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000007.00000002.1756883927.0000025B42821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.	xRdfz79jMR.exe	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.blockchain.com/)	xRdfz79jMR.exe	false		high
https://login.microsoftonline.com/common	xRdfz79jMR.exe, 00000000.00000003.1828538606.000001D1445F0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.232.192.193	ipv4.imgur.map.fastly.net	United States		54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589533
Start date and time:	2025-01-12 18:50:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xRdfz79jMR.exe renamed because original name is a hash value
Original Sample Name:	dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966.exe
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@19/157@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7452 because it is empty
Execution Graph export aborted for target xRdfz79jMR.exe, PID 7312 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:51:05	API Interceptor	60x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.232.192.193	rZU3xTxOnl.exe	Get hash	malicious	FunkLocker	Browse
	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipv4.imgur.map.fastly.net	rZU3xTxOnl.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://heuristic-knuth-588d37.netlify.app/?naps/	Get hash	malicious	HTMLPhisher	Browse	199.232.196.193
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	199.232.196.193
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	199.232.192.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	rZU3xTxOnl.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.196.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	PDF-523.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	199.232.192.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rZU3xTxOnl.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	fMDYks4W2a.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	Y7iJlbvuxg.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	CF537GfmKa.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	siy9g3WGCc.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	SjDqoVVmzX.exe	Get hash	malicious	FunkLocker	Browse	199.232.192.193
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	199.232.192.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	sZSXKXOnBw.exe	Get hash	malicious	Unknown	Browse	199.232.192.193
	v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	199.232.192.193

Process:	C:\Users\user\Desktop\xRdfz79jMR.exe
File Type:	data
Category:	dropped
Size (bytes):	249
Entropy (8bit):	7.187139570577255
Encrypted:	false
SSDEEP:	6:kiCZVX+7N5pOtEzMlgNnfeYfei03P+4zylhan:kia+g2zM6tl1jkylha
MD5:	CFA58BAB4AB7C0CA40C5061322F6AF8F
SHA1:	1AF61DBEA0E816541719F61C746EAA0D02866D04
SHA-256:	88F24B2D1818BCA9179776213C5D132E64E9C315385BEB428A9AEABD47B3FA26
SHA-512:	661425B5363C2E7B4DAA7953898C6879DF12A420F0548DB8D465A63035D0E7B7F75BFBCD6DF4A55D0D9D5C4B39E5F8DCA39DCBBE39FD37917EF01F95DED3D4F1
Malicious:	true
Preview:	..~..,J&....#l..b.M...g.2...\n2.y.:@.y.@..;..&....U&.qM....\+.......{X.,.....t..f..yG}~..y.tW.E..l.)...<?.l....a....m.A.#{.o....H.`8.........$.>..R$.d..P......\|..s...0].L.(F...S.......1s.}.X.a.F JJ....*.CP..2.\..h..S,..I(9KK..B....t=.}.y.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul/nq/llh:NllUyt
MD5:	AB80AD9A08E5B16132325DF5584B2CBE
SHA1:	F7411B7A5826EE6B139EBF40A7BEE999320EF923
SHA-256:	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
SHA-512:	9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
Malicious:	false
Preview:	@...e................................................@..........

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.241230809151898
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xRdfz79jMR.exe
File size:	5'479'936 bytes
MD5:	ca8ff8fb255a47d4be94af4ee3327c07
SHA1:	4c0c4941a31f9e45b422704a18fdfb44c2c1c4fa
SHA256:	dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966
SHA512:	ef4c108ad8c29486245d2c685dfff7d6dafca81eefc73f2005bce8161b0b2176171cdcba19d1ea8ebbc499852b79d2e1e5e18b1d643dd5d3c9981cc787a20b73
SSDEEP:	49152:7UwPUAoQrHs0q0wNvl4WKhy9uzCBr/jjYqe/QzG28eKHKVgpv4fn4t0IyBA3UTwd:k8bhCueKwAi8W96
TLSH:	D8463A22BB6A99ADC49AC0B483564B72297134CB0B3579FF45C442783E6DAF42F3C758
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d...IWzg.........."

Entrypoint:	0x14036acbc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677A5749 [Sun Jan 5 09:56:25 2025 UTC]
TLS Callbacks:	0x40351d60, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b7cec4b375160d05c87add0d9aea1b84

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x507204	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x50d000	0x28db8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x536000	0x6128	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x476620	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x476680	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4764e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37d000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37bd4f	0x37be00	214cd9be599a155060dbcca4ed11110e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37d000	0x18b990	0x18ba00	c2726082bad6641a83704c25180f65b0	False	0.2623358511058452	data	5.394947070884272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x509000	0x3310	0x3200	1453c568b2c3d7bc436c97d59d01d3ce	False	0.161015625	data	2.382691114228853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x50d000	0x28db8	0x28e00	882a93c795bc1fb2855c46671aba952a	False	0.49995221712538224	data	6.415503245894111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x536000	0x6128	0x6200	a9ef567c9e69370c4cfd4cb465f418ad	False	0.43136160714285715	data	5.455171446181547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
kernel32.dll	GetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, GetCurrentProcess, SetHandleInformation, DuplicateHandle, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, lstrlenW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, CloseHandle, CreateWaitableTimerExW
user32.dll	SystemParametersInfoW
shell32.dll	SHGetKnownFolderPath
ole32.dll	CoTaskMemFree
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, SystemFunction036
ws2_32.dll	send, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
secur32.dll	ApplyControlToken, AcquireCredentialsHandleA, QueryContextAttributesW, EncryptMessage, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, DecryptMessage, FreeCredentialsHandle, DeleteSecurityContext
crypt32.dll	CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
ntdll.dll	NtCancelIoFileEx, NtReadFile, NtCreateFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	memcmp, __current_exception_context, memset, __current_exception, memmove, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll	roundf, pow, round, exp2f, truncf, ceil, powf, __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:51:04.118900061 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.118932009 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:04.119092941 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.134202003 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.134223938 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:04.696655989 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:04.696727037 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.700417995 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.700432062 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:04.700918913 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:04.749174118 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.946175098 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:04.987340927 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.041495085 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.041697025 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.041781902 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.041800022 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042066097 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042098999 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042152882 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.042155981 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042166948 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042198896 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.042825937 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042856932 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042891979 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042907000 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.042917013 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.042931080 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.055350065 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.055418015 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.055427074 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.108371973 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.128096104 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.128318071 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.128362894 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.128369093 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.128380060 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.128421068 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.128427029 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129009962 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129045010 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129090071 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.129092932 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129103899 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129142046 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.129148006 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129193068 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.129198074 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129209995 CET	443	49730	199.232.192.193	192.168.2.4
Jan 12, 2025 18:51:05.129254103 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.129872084 CET	49730	443	192.168.2.4	199.232.192.193
Jan 12, 2025 18:51:05.129889011 CET	443	49730	199.232.192.193	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 18:51:04.098900080 CET	61427	53	192.168.2.4	1.1.1.1
Jan 12, 2025 18:51:04.106441975 CET	53	61427	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-12 17:51:04 UTC	62	OUT	GET /HCYQoVR.jpeg HTTP/1.1 accept: / host: i.imgur.com
2025-01-12 17:51:05 UTC	762	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28864 Content-Type: image/jpeg Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT ETag: "70f83e99427ac54b92283eaecb69c5df" x-amz-server-side-encryption: AES256 X-Amz-Cf-Pop: IAD89-P1 X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA== cache-control: public, max-age=31536000 Accept-Ranges: bytes Date: Sun, 12 Jan 2025 17:51:04 GMT Age: 1068828 X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740039-EWR X-Cache: Miss from cloudfront, HIT, HIT X-Cache-Hits: 85, 1 X-Timer: S1736704265.992460,VS0,VE1 Strict-Transport-Security: max-age=300 Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Server: cat factory 1.0 X-Content-Type-Options: nosniff
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93 Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4 Data Ascii: UCt5?=g:25eVbyi:pm=SV<OC\|4jN1o?PjsyOsj<PW^V-vk.2K"Dt%J]Uxj]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39 Data Ascii: N{/^R#]jg'Jq_WmWqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~cm/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77 Data Ascii: ]/%Zy} A^CEu6[4$TY26e;2m=j-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=XJ:Wiq&`{UG!>CjqO&JW-4VFeU{]]cdXTn<w
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66 Data Ascii: .$u-GxpJRV8 ;ISIBfVYY/qbc.9Pz\|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;\|9^.ne1+&VJ>__"r,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15 Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71 Data Ascii: a1S'iYeKTD3"R6>=!<\|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju']:yn-u724_dfFFzf"%X02Y\q
2025-01-12 17:51:05 UTC	1371	IN	Data Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3 Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,\|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od

Target ID:	0
Start time:	12:51:02
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\xRdfz79jMR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xRdfz79jMR.exe"
Imagebase:	0x7ff6d3040000
File size:	5'479'936 bytes
MD5 hash:	CA8FF8FB255A47D4BE94AF4EE3327C07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	12:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	12:51:10
Start date:	12/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xRdfz79jMR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\VirtualRegistry.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\operations.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db.funksec

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.man.dat.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.funksec

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.funksec

Windows Analysis Report
xRdfz79jMR.exe

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre