Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wuknbFMdeq.exe

Overview

General Information

Sample name:wuknbFMdeq.exe
renamed because original name is a hash value
Original sample name:00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c.exe
Analysis ID:1589800
MD5:73744280fb8e7db578c9303b7620fb16
SHA1:082258d125f9fb3ea080da1b1fa86bf0a0302cd8
SHA256:00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
Tags:exefunklockerfunksecransomwareuser-TheRavenFile
Infos:

Detection

FunkLocker
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FunkLocker Ransomware
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the recycle bin to hide itself
Disables Windows Defender (via service or powershell)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Sigma detected: Disable of ETW Trace
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level

Classification

Process Tree

  • System is w10x64
  • wuknbFMdeq.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\wuknbFMdeq.exe" MD5: 73744280FB8E7DB578C9303B7620FB16)
    • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • net.exe (PID: 6172 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • net1.exe (PID: 4672 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • tasklist.exe (PID: 3304 cmdline: "tasklist" /fi "IMAGENAME eq vmware" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • powershell.exe (PID: 6548 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • WmiPrvSE.exe (PID: 7472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6496 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wevtutil.exe (PID: 7416 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)
    • powershell.exe (PID: 6224 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wevtutil.exe (PID: 7408 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)
    • powershell.exe (PID: 5748 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wuknbFMdeq.exe PID: 6180JoeSecurity_funklockerYara detected FunkLocker RansomwareJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Disable of ETW Trace
    Source: Process startedAuthor: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wuknbFMdeq.exe", ParentImage: C:\Users\user\Desktop\wuknbFMdeq.exe, ParentProcessId: 6180, ParentProcessName: wuknbFMdeq.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 6496, ProcessName: powershell.exe
    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wuknbFMdeq.exe", ParentImage: C:\Users\user\Desktop\wuknbFMdeq.exe, ParentProcessId: 6180, ParentProcessName: wuknbFMdeq.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6548, ProcessName: powershell.exe
    Sigma detected: Powershell Defender Disable Scan Feature
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wuknbFMdeq.exe", ParentImage: C:\Users\user\Desktop\wuknbFMdeq.exe, ParentProcessId: 6180, ParentProcessName: wuknbFMdeq.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6548, ProcessName: powershell.exe
    Sigma detected: Suspicious Eventlog Clear or Configuration Change
    Source: Process startedAuthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Application /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6224, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, ProcessId: 7408, ProcessName: wevtutil.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wuknbFMdeq.exe", ParentImage: C:\Users\user\Desktop\wuknbFMdeq.exe, ParentProcessId: 6180, ParentProcessName: wuknbFMdeq.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 5748, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wuknbFMdeq.exe", ParentImage: C:\Users\user\Desktop\wuknbFMdeq.exe, ParentProcessId: 6180, ParentProcessName: wuknbFMdeq.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6548, ProcessName: powershell.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files\a2V9YZRdM3.exeReversingLabs: Detection: 55%
    Multi AV Scanner detection for submitted file
    Source: wuknbFMdeq.exeVirustotal: Detection: 52%Perma Link
    Source: wuknbFMdeq.exeReversingLabs: Detection: 55%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeDirectory created: C:\Program Files\a2V9YZRdM3.exeJump to behavior
    Source: unknownHTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: wuknbFMdeq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: dev.pdbw source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr
    Source: Binary string: dev.pdb source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\Jump to behavior
    Source: global trafficHTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com
    Source: Joe Sandbox ViewIP Address: 199.232.192.193 199.232.192.193
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com
    Source: global trafficDNS traffic detected: DNS query: i.imgur.com
    Source: a2V9YZRdM3.exe.0.drString found in binary or memory: http://ns.adobe.
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC605A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC46A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC46A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC57D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
    Source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drString found in binary or memory: https://getsession.org/
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: a2V9YZRdM3.exe.0.drString found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
    Source: powershell.exe, 00000009.00000002.2093142352.000001FEC605A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drString found in binary or memory: https://www.blockchain.com/)
    Source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drString found in binary or memory: https://www.coinbase.com/)
    Source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drString found in binary or memory: https://www.torproject.org/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownHTTPS traffic detected: 199.232.192.193:443 -> 192.168.2.5:49704 version: TLS 1.2

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Yara detected FunkLocker Ransomware
    Source: Yara matchFile source: Process Memory Space: wuknbFMdeq.exe PID: 6180, type: MEMORYSTR
    Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: SecurityJump to behavior
    Source: a2V9YZRdM3.exe.0.drBinary string: 0\Device\Afd\Mio
    Source: a2V9YZRdM3.exe.0.drBinary string: Failed to open \Device\Afd\Mio: h
    Source: classification engineClassification label: mal100.rans.evad.winEXE@21/34@1/1
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile created: C:\Program Files\a2V9YZRdM3.exeJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile created: C:\Users\user\Desktop\README-8wyoutVJSA.mdJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u22pxu1d.loo.ps1Jump to behavior
    Source: wuknbFMdeq.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: wuknbFMdeq.exe, 00000000.00000003.2211390410.00000218A1C3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE NOCASE, [ExpirationTime] DATETIME NOT NULL);
    Source: wuknbFMdeq.exeVirustotal: Detection: 52%
    Source: wuknbFMdeq.exeReversingLabs: Detection: 55%
    Source: wuknbFMdeq.exeString found in binary or memory: /load_hpack; header malformed -- pseudo not at head of blockX
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile read: C:\Users\user\Desktop\wuknbFMdeq.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\wuknbFMdeq.exe "C:\Users\user\Desktop\wuknbFMdeq.exe"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\net.exe "net" session
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\net.exe "net" sessionJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"Jump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:falseJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:falseJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeDirectory created: C:\Program Files\a2V9YZRdM3.exeJump to behavior
    Source: wuknbFMdeq.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: wuknbFMdeq.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: wuknbFMdeq.exeStatic file information: File size 5484032 > 1048576
    Source: wuknbFMdeq.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x37cc00
    Source: wuknbFMdeq.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18bc00
    Source: wuknbFMdeq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: wuknbFMdeq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: dev.pdbw source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr
    Source: Binary string: dev.pdb source: wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile created: C:\Program Files\a2V9YZRdM3.exeJump to dropped file
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile created: C:\Program Files\a2V9YZRdM3.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Creates files in the recycle bin to hide itself
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksecJump to behavior
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1652Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7644Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1621Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1668Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6718Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1271Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 1652 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 7644 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -6456360425798339s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep count: 1621 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep count: 1668 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 6718 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep count: 1271 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\Jump to behavior
    Source: tasklist.exe, 00000004.00000002.2038744783.000001D36ACE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmware\UsersS
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'
    Source: tasklist.exe, 00000004.00000003.2038212772.000001D36AAC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
    Source: tasklist.exe, 00000004.00000002.2038503819.000001D36AAA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware"C:\Windows\system32\tasklist.exeWinsta0\Default?N
    Source: tasklist.exe, 00000004.00000002.2038744783.000001D36ACE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'E+S
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmware
    Source: tasklist.exe, 00000004.00000003.2038212772.000001D36AAEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'Users\userwindir=C:\Windows/N
    Source: a2V9YZRdM3.exe.0.drBinary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
    Source: a2V9YZRdM3.exe.0.drBinary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmwarej
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'Users\userwindir=C:\Windows
    Source: tasklist.exe, 00000004.00000002.2038503819.000001D36AAA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmware"{N
    Source: tasklist.exe, 00000004.00000002.2038744783.000001D36ACE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: > WHERE Caption = 'VMWARE'2\Wbem;C:\Windows\System32\WindowsPoerShell
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE'0
    Source: tasklist.exe, 00000004.00000002.2038627823.000001D36AAD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE');
    Source: tasklist.exe, 00000004.00000002.2038503819.000001D36AAA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmware"
    Source: wuknbFMdeq.exe, 00000000.00000002.2216034170.000002189FEC8000.00000004.00000020.00020000.00000000.sdmp, wuknbFMdeq.exe, 00000000.00000003.2213229714.000002189FEC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
    Disables Windows Defender (via service or powershell)
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Modifies Windows Defender protection settings
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\net.exe "net" sessionJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"Jump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:falseJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:falseJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$WinREAgent VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\$WinREAgent\Scratch VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\.ms-ad VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\S VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\Profiles VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeCode function: 0_2_00007FF77B12BE68 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF77B12BE68
    Source: C:\Users\user\Desktop\wuknbFMdeq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		11
    Process Injection    		13
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Disable or Modify Tools    		LSASS Memory1
    Query Registry    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager11
    Security Software Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS2
    Process Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Hidden Files and Directories    		LSA Secrets21
    Virtualization/Sandbox Evasion    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials1
    Application Window Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
    System Information Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589800 Sample: wuknbFMdeq.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 34 ipv4.imgur.map.fastly.net 2->34 36 i.imgur.com 2->36 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FunkLocker Ransomware 2->44 46 5 other signatures 2->46 8 wuknbFMdeq.exe 22 2->8         started        signatures3 process4 dnsIp5 38 ipv4.imgur.map.fastly.net 199.232.192.193, 443, 49704 FASTLYUS United States 8->38 30 C:\Program Files\a2V9YZRdM3.exe, PE32+ 8->30 dropped 32 C:\$Recycle.Bin\...\desktop.ini.funksec, data 8->32 dropped 48 Creates files in the recycle bin to hide itself 8->48 50 Bypasses PowerShell execution policy 8->50 52 Modifies Windows Defender protection settings 8->52 54 Disables Windows Defender (via service or powershell) 8->54 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 7 8->18         started        20 4 other processes 8->20 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 13->56 22 WmiPrvSE.exe 13->22         started        24 wevtutil.exe 1 18->24         started        26 wevtutil.exe 1 20->26         started        28 net1.exe 1 20->28         started        process10

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    wuknbFMdeq.exe53%VirustotalBrowse
    wuknbFMdeq.exe55%ReversingLabsWin64.Ransomware.FunkSec

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\a2V9YZRdM3.exe55%ReversingLabsWin64.Ransomware.FunkSec

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://ns.adobe.0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ipv4.imgur.map.fastly.net
    		199.232.192.193
    		truefalse
      		high
      i.imgur.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2093142352.000001FEC605A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000009.00000002.2093142352.000001FEC57D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://www.coinbase.com/)wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC540B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2093142352.000001FEC540B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2093142352.000001FEC605A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000009.00000002.2116349592.000001FED4714000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://docs.rs/getrandom#nodejs-es-module-supportwuknbFMdeq.exe, a2V9YZRdM3.exe.0.drfalse
                                  		high
                                  https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000009.00000002.2093142352.000001FEC59B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://i.imgur.com/HCYQoVR.jpega2V9YZRdM3.exe.0.drfalse
                                      		high
                                      https://aka.ms/pscore68powershell.exe, 00000009.00000002.2093142352.000001FEC46A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.torproject.org/wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drfalse
                                          		high
                                          http://ns.adobe.a2V9YZRdM3.exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.2093142352.000001FEC46A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2093142352.000001FEC48C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.blockchain.com/)wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drfalse
                                                		high
                                                https://getsession.org/wuknbFMdeq.exe, a2V9YZRdM3.exe.0.dr, README-8wyoutVJSA.md.0.drfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  199.232.192.193
                                                  		ipv4.imgur.map.fastly.netUnited States
                                                  		54113FASTLYUSfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1589800
                                                  Start date and time:2025-01-13 07:21:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 48s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:16
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:wuknbFMdeq.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c.exe
                                                  Detection:MAL
                                                  Classification:mal100.rans.evad.winEXE@21/34@1/1
                                                  EGA Information:Failed
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 5748 because it is empty
                                                  • Execution Graph export aborted for target wuknbFMdeq.exe, PID 6180 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  01:22:02API Interceptor47x Sleep call for process: powershell.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  199.232.192.193xRdfz79jMR.exeGet hashmaliciousFunkLockerBrowse
                                                    rZU3xTxOnl.exeGet hashmaliciousFunkLockerBrowse
                                                      fMDYks4W2a.exeGet hashmaliciousUnknownBrowse
                                                        http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                          https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                            https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNfGet hashmaliciousUnknownBrowse
                                                              https://media.maxfs.de/Get hashmaliciousUnknownBrowse
                                                                setup-avast-premium-x64.exeGet hashmaliciousUnknownBrowse
                                                                  setup-avast-premium-x64.exeGet hashmaliciousUnknownBrowse
                                                                    https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253Get hashmaliciousKnowBe4Browse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ipv4.imgur.map.fastly.nethttps://hmflowcontrols.com/ch/CHFINAL/50477/Get hashmaliciousUnknownBrowse
                                                                      • 199.232.196.193
                                                                      xRdfz79jMR.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.192.193
                                                                      rZU3xTxOnl.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.192.193
                                                                      fMDYks4W2a.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      Y7iJlbvuxg.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.196.193
                                                                      CF537GfmKa.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.196.193
                                                                      siy9g3WGCc.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.196.193
                                                                      SjDqoVVmzX.exeGet hashmaliciousFunkLockerBrowse
                                                                      • 199.232.196.193
                                                                      http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 199.232.196.193

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      FASTLYUShttps://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.comGet hashmaliciousUnknownBrowse
                                                                      • 151.101.66.137
                                                                      https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5DkGet hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      http://satelite.nv-ec.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.2.137
                                                                      https://support.te-wt.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.66.137
                                                                      https://www.flndmy.er-xu.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.66.137
                                                                      https://www.support.ue-vt.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.194.137
                                                                      https://www.lforgot.xw-er.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.66.137
                                                                      https://support.wt-nx.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.194.137
                                                                      https://www.maps.tv-wt.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.130.137
                                                                      https://htpss-encontrar.bicicletasraper.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 151.101.194.137

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0erCHARTERREQUEST.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 199.232.192.193
                                                                      https://www.flndmy.er-xu.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://support.wt-nx.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://www.maps-s.xz-sr.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://www.support.wt-nx.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://www.location.as-nt.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://findmy.cl-ew.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://www.maps.cx-vr.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://flndmy.ef-uc.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193
                                                                      https://www.support.av-ro.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                                                                      • 199.232.192.193

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):249
                                                                      Entropy (8bit):7.161475476097081
                                                                      Encrypted:false
                                                                      SSDEEP:6:qjgBqkN7gWw6UorJ/NqOkk4VnfQGf5j3F89PT289H:0gB57ldY5khGfPsH
                                                                      MD5:4F76B0EBEBAE3EAE503AAAABF1049714
                                                                      SHA1:AF288C04EB39FAE4DE2D8AD3B943A0488F8AEDD7
                                                                      SHA-256:621A4C3CDF561EAE63D755F688A3671F4E85588611006EC8802732AC38D6AE4D
                                                                      SHA-512:D29069BF8C0C6FD63EF1B5DA9BC665B07F3BB7240567173D124C91C8D20237B4F640256AC099D338653CCFFA49906D4C3121BF2C8D6357028F4B24B8DC611C6A
                                                                      Malicious:true
                                                                      Preview:.&...D.3............T.. ...y..b.r'..........h.K.+..9..3..f.Z.....s.....4....\.^.$. .. D....W..2{.l6..V.jy...(n....S59.6.."..p.......R=.......U..d...g..|#..Z....R....]^..........X.3.E2......4.=..[..........ws.t.F$.e......N.F....I..Y.0

                                                                      C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):249
                                                                      Entropy (8bit):7.017803036294602
                                                                      Encrypted:false
                                                                      SSDEEP:6:e0NkvH6cuki7Dt46b7eLq3Q05NguR1ApXU7UEe3a:tNkvH6c/YD6q3rHgWGkw1K
                                                                      MD5:A906C5CBABCB261457CC301AE4C66441
                                                                      SHA1:A573BCA443532C1EA83D75F0F4C0FA172B4197D4
                                                                      SHA-256:5CECA6FD0FAF98FEB7C48756C3584AAEACAC9300D76504EAEA0BFE511BD42D9B
                                                                      SHA-512:6D1B168B1E5B4F3A004AACE63BA5DD4A9F7F5656E9A178583B0D88EC7A0FF041B7355E411F3559D57BEF3A89C7BA1FE8BF011D7E12829FF70D6DAB3BF4B7DF1E
                                                                      Malicious:false
                                                                      Preview:.:.;...q..[OR.D.i..O$.Q..........v[h&.jS......)...W......K.........$.........WOJ.......E)..i2$.B..Tj.2...B.......J..........1h;..eA_`#.e...H.g.`2...:(.e5f.x.j.........Q.6'.m.&..i.S..L&....F.C./;......{......._...h.ZQ..*.0..\...~._.(4.

                                                                      C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):249
                                                                      Entropy (8bit):7.173602182959144
                                                                      Encrypted:false
                                                                      SSDEEP:6:SMobNta4Oka/MnW1hw9cUNyWDMEDKmwTn5tM5Cvozn:w5lOuqUNtcmutM5wUn
                                                                      MD5:91726A9D52B0F5D75D92B22FC8350593
                                                                      SHA1:32A981FE0FAD3297BA4A99D09642579CEAF7941E
                                                                      SHA-256:270A312AF71C1E1FB597AB6631BAADDCEE775D57B53AADE72EADBD604846EF5A
                                                                      SHA-512:22EBAF5B2F5027A3DA2EF17BA6A74DE2FC260B581CC0957F1BCDAFE7BBF65A489B40D5CBA6121EA402710685E4845DEF8A4938079163015A2C151C1E675F074E
                                                                      Malicious:false
                                                                      Preview:...BM..7...\.......YD...._S.^....E.WiS...........>..B.K.......^...m............^.z".....i.....{.v}....L2>...l.]5eH.f.....*....1.}..(..(b.4....O0..^.......[...,P.V,Z4.z.....Q&`..xn;J..h....e.5x(.%b....m.H"...[....'...M...I..p.....

                                                                      C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):249
                                                                      Entropy (8bit):7.228921209107004
                                                                      Encrypted:false
                                                                      SSDEEP:6:X75Jp7OED8prSgttRr+dbwoGditVcb5p2NsK5ppOz7W+0+YkJ:X7Z71aGgXl+dLjib5p2rHpOzCfa
                                                                      MD5:0571A420FAEA9CEEE1756EA1739AB929
                                                                      SHA1:A179C943F89BD091380C5DE54ADCFEB29F3D89D1
                                                                      SHA-256:DCB34E4416BEFC22A3D55502FEA0C0E85759C48C454CAE16550B20E09E6B135F
                                                                      SHA-512:30C881B64D9D4A5EFCC1A15D20B958BF18AE659D8C57BB481E2CB0996116F459B097199345D3014FE39C8AD55A953221A86C43AC4056CC56C295AB34513C69B3
                                                                      Malicious:false
                                                                      Preview:...+.. .8pc/....l.B...Ri......,.1@.u.{..,Q.e.|Y.Q.A...J2..........CX.wO'..-......7b....L......<..vt..j..&.:.S.....5qC...r....z.97..M../...(o.j*R"...[..8V.I!._iy.y~..Z...TIwg...k..}v!.\..w.y.. }y....02..d....+..OU..il.....VK..I.iF.[s?c..Z|?.

                                                                      C:\Program Files\a2V9YZRdM3.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5484032
                                                                      Entropy (8bit):6.23993361393518
                                                                      Encrypted:false
                                                                      SSDEEP:49152:d0EXb1TLA+w5C9qnQq9/7xmspwRURBa77dr5dYqBB42u11vtdHeE/90stTDw6xX1:M5C9YnCgHe+3IxbhVJIj59
                                                                      MD5:73744280FB8E7DB578C9303B7620FB16
                                                                      SHA1:082258D125F9FB3EA080DA1B1FA86BF0A0302CD8
                                                                      SHA-256:00ACF5D0DB7EF50140DAE7A3482D9DB80704EC98670BD1607E76C99382A4888C
                                                                      SHA-512:6DFF7EBA43088F64F070133D85BA5861B796B34EE770561F2FEA9501F2792BD620387D7D4C0AD21FBEA6E410AEF59CF7D29CB0807662883D6BAAE146FC4E423E
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 55%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d....<|g.........."....*..7...........6........@..............................S...........`...................................................P.|.............P..............pS.La...yG.T....................zG.(...PxG.@.............7.`............................text...?.7.......7................. ..`.rdata........7.......7.............@..@.data....3....P..2....P.............@....pdata........P.......P.............@..@.reloc..La...pS..b...LS.............@..B................................................................................................................................................................................................................................................................................................................

                                                                      C:\Program Files\a2V9YZRdM3.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\3D Objects\desktop.ini.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):466
                                                                      Entropy (8bit):7.287640537444485
                                                                      Encrypted:false
                                                                      SSDEEP:12:tKot7JUXASM9l9j6jM+PHB9HbcDDCYN6zwcCOkzFAU/IVrDJn:tkXAjl9Ww+PH77cnNNYfJkzFA/1DJ
                                                                      MD5:AF590A68F46F83B8C89EB6C6F6071C66
                                                                      SHA1:314E2347A8B15A8706762CFCBA485BBF82211840
                                                                      SHA-256:827C3749C5540361E16B86B195635B23036FD7D309EA73CECCC4754819015329
                                                                      SHA-512:120A508F2758B53A7FD2CB4F8FFAD2248F8C483E963EC9A5FB468789B47E6917783261E910AB5E426ECDCDC0BB8F85DD09EE60618B2B0BB5D83AC709BAF57BCD
                                                                      Malicious:false
                                                                      Preview:.*.3n.t...P.......n..HM.Z...R..........Mm...hV....~..7..7.7%....7_q...c....c..x=.Yv5HZ....\....U....._.......}>#G.....L..'...l.Zg..<.4.....;...?.Z.h.v.H.'.P..Z....T...+N.N.....H....WS..kwR..h..g{.]..H.C.-....M.c....|GaZ. ....<.a..%....7Uq...c....v..x<.qv<HY....\..e.5....._.....}P#\.....L&.0...l.Zt..<.4.....;...?.Z.h.v.H.'.P.......T...+I._...D..(.....`.lc2`..G.z.=...w...CR...b-.d......X/.R.T..%....7Hq...c....n..xb.=vjH.....\..6G.D.|.....f.<R

                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):24
                                                                      Entropy (8bit):4.584962500721156
                                                                      Encrypted:false
                                                                      SSDEEP:3:LUkFzjG56s8:LUkFza6h
                                                                      MD5:F8F78949010CED7AA4BC2E88009B623E
                                                                      SHA1:554F0F06B7E70AD7D8EE0545E4A2EFFFF9B1C2C0
                                                                      SHA-256:9FD8AF5A4FAAB1C75A7F08AB15F7C9ED357935A912BBB6E4E027601CCDF7E039
                                                                      SHA-512:9836DBC0D8DBC9399F7BA59F68D28305199E377AE5709C59C98C6BFF2C9E28B52F063E322A93B4871E834A604E81AF85A1221DE0586BFD63FEF4B48E365EE831
                                                                      Malicious:false
                                                                      Preview:P5......=....6b./....@.

                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):24
                                                                      Entropy (8bit):4.41829583405449
                                                                      Encrypted:false
                                                                      SSDEEP:3:EVoHgx04:JD4
                                                                      MD5:36452B92250C24347EDFEB9B481F2DE8
                                                                      SHA1:577AA94044C37469E0B7EFF3EAC712B7F04E5B11
                                                                      SHA-256:FE57E27CFB7FC952759D8D5A7D44077DF8219458BDFAA7C298FEC7F76820B0AB
                                                                      SHA-512:44BB5E8F41B8BF27E235BD4DF7682AF9A325B8FD0680ECC1B73495D170A50D7E29547684009FE9BC51B78CB948F11649A9EC8C8C340A84B4E5FF2578C25F3ACE
                                                                      Malicious:false
                                                                      Preview:uP2.v.*7.k."J.v.i..]c.

                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):700
                                                                      Entropy (8bit):7.707949209819155
                                                                      Encrypted:false
                                                                      SSDEEP:12:qBYEtuhV2XANVJ2hcif5yV4l5hWvRIpzyu7qQ+5Pc5+SZmQEz9LQxZtT2pDC9U:cM/HNVEFYV44vRor81cgSkYt1U
                                                                      MD5:4FE3692377ABC8DD46BAAF6F9A01CC42
                                                                      SHA1:5D230AC3921967B90FE2BBFA4CF7108AB1F82042
                                                                      SHA-256:2EA3CAF8BE85568654C8A78BCC6C600259FD03D67B77DE2FF75980D853BB60FD
                                                                      SHA-512:E9913C76D083D22BB2AB8CD6C7313E7913C3BB6D369405D1E0103446622C73CEEEC48D2FE875B1F96984D4198DEE508A2582318A495013CFE4D91B27243634DA
                                                                      Malicious:false
                                                                      Preview:.W<.....H...(.1.#.|..c.`.waB.w.c..l.pNLa[.;...z7/AS.y.X.N~H..V.m.I..}.O..e.......s@..,...9.....".".|...2a...e......).}.6.......O...h..W...0e...i= ..b5iq*/.i....5:.c..*...Z{.W...8.s..........Y.n.{7v.Q.x.Y{m..nC.Q{r...4(1..N?...M.R.!..H._..c....2....Md.a8...9........2.k...>E ..x.....!.-.......m...L.......g.......1 ..b?C-/^.Y....1#.v...g.D.qUX.rQ=?.....X_9.k..zU.p..K..%Y.A/......./q...|.a.E\R....t.#..Z?\......_.....4..* ..,.....-.6.B...=V..e............&...o..|....o.._R..3^...KWX..w.b,.'.i.$...(.....0Z.rV....9.l.8..d...q.Qk.g5..-1|..`..Z/...........Y..p;..]......v.X..g.........Rc.'.)..B......4.B....j..T......7.5.$.....d...c....P..)K..Qj......R..!.>8.!.L.u./.

                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):446
                                                                      Entropy (8bit):7.507333197335605
                                                                      Encrypted:false
                                                                      SSDEEP:12:0TI5Ft0WpUzAfZZMbDoLRf116icuTMT1Gxq/4IxVVW:J5vpdMu9o0T41GE/4IxVY
                                                                      MD5:F9F38C77413619ADB050AEB90FA95F6C
                                                                      SHA1:E35CCB1945386B449D2F99F984838F34D0ACEAC4
                                                                      SHA-256:56F9E0D86DE8EF9376ADE6F04B2665678353A93377E691C806F20EB09F432042
                                                                      SHA-512:90F6AAF2FB0413ACFE37EDEE359BB0595816F79C2CEB8F340348757C278AF5BE23363C8CCE0471EC3264B56A51CF50B4FBE882A6BBEEDF8E1D2C0FEA2A624BE9
                                                                      Malicious:false
                                                                      Preview:.6..z..@0./.H.S.R".^5.EaE...NU<...m.'.Q....`..Be.k.....p..f...k.pwY.Kp..9....(...&......Kf#Q.x.{j.=D...4.^.'...:..C.-w..7_._-.H..g ..8..w..... L.U....Y.;.........N.).u/<.../XiA..&.Sa..S6._.......$....c..F..qQ.~.7O...m.Y8..M"j..~F...6.9....[..../8..'..f.W.e+.F|.Go...<G....Q.*.J..X..6..-jW.#?.;P.O..%%.6$.."..B..|KE......7R..O......8.94}...).a..."...E.Xfp.%9.1_.Y,..Q*T......\..:R...u.....x7..1....;.?\.......?1..i.s..`t..

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1737
                                                                      Entropy (8bit):7.864398721968478
                                                                      Encrypted:false
                                                                      SSDEEP:48:BfgvJc+beX1o+Y/4dgcK+behMskquosbwhCoB0:BfgDb/+Y/AgcfoE/xICoB0
                                                                      MD5:9BC38AC0B295E2BBCB27A4B3CF272552
                                                                      SHA1:F32E33F90725B618F360E4D4BD8EBD2F503926D7
                                                                      SHA-256:30BD431AA7E0776D6B0106C50C3F2D4BCB548017C7D4E28445E211BFF02B28F9
                                                                      SHA-512:B71F96D6024F191C557F34D431C5793A28A6539C044633DC5E5D588D1B1E2474144741A2E1967400C4B59374E34D2EC95F0BE674FCAF31C27053C9D55A64302A
                                                                      Malicious:false
                                                                      Preview:.s.<.........!%;"...z.q.#..0..u.....g`R...f............../....tq...W..^.z$...6 *.-.i...e...>C....i..U.....\..F..<-Dr...8..U.d..C.l.nH.N7....D.5^l10*....E.\Ikb"...w.e..."r.g...N....w..n...+]=s@c.=d..L5..z_..e.K.......*.=......(.W..c....O.....:&...`.*....7ct..F....p.....[..B....}..{...9Xu.3....h)x...+XCVH.j:...F...1mv{....Z._tq{5.."\5...f..0;<~#.w...|.."<..f='.u....2M%"....Jn....?..D........9.)...b7..L......;...Z.,b.6.."h]..d...rj.....w..s....t..g...vcr...[...wGO...,U.gx.g9..S..H`1#y.....~.B*Me5..cTN...$..lSV.4w..w...X2z)}....Gd.w.B6in]H...Lc.a.Vj..c.<......!.M..si;4.N....1.-....7eV.9...Pq..e....C.....D..U.....\..d..(.Ns...F...+.t..5:O.j*.1a...H..wf;.*...&....'f..V.c...$..0<FF.... 4.{...i.wc.TR...:.!b..O.k.i[...Q"z.v".....2".W..{k:..Q.....+...(;+t.0...~{..y...;a....f..Q....j..n:.Y..U.=.U..S4'3..=DdQ0.f$..t./.V.......X.OLqx5...v f....,.E.9...A...<...:.Dh..^.e..>.u..y..?Pyo~0.pB<#..m.....m.J..iY...A......=...$..B.&.."rp..M...-o....L..e.....\..G.

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):254579
                                                                      Entropy (8bit):7.97880673534001
                                                                      Encrypted:false
                                                                      SSDEEP:6144:XQ/0aIxf/ZKh7+syvrXT3rPBOayL+yX0PlPi0/:X3s65OX+aUs0/
                                                                      MD5:E2F24B2E8F4F53F996D4EB1932B46434
                                                                      SHA1:079AECC12087E853371980A327F2BD43B49C3A02
                                                                      SHA-256:554070DBCBA13B10E2C7AE9954BB0F04B3F9E0A1E7F504F4D2016AEDA942126C
                                                                      SHA-512:CE5646F1966BEA12D1592A292E0C4D5038E7428B437DACA0B45C3F323A3B64B8C6FF2CF26616810DA224C4EB6A16B175281F364EAEA7F4FAB12D6D5DAFC17F87
                                                                      Malicious:false
                                                                      Preview:....-.I.3....0.....zT..p<..M... .~V~..=c...b..u.ft.p...P.F.(..G..('.1./.^\..-.\. ...!.jy&....qk.{.h.2..5....j9.^... ..`..C..3.W.[.Y..u.....=......B1)@.....#.....+~..2kwG..y......x..........R..dN@..1`.S.^..V).nBtc..3..6..^.%.#......W..Y.z...RU.z..V`.D.i.yi$:........a.'......0m]1..4;..X..U..K.\.N...+i......k.....GE.a|.............B\..%(.n....-;. Jn..BmKA..a.=..r.|....2...3.rlD..*6.8]...S.8..|.....u.VF.z.J.^B.....sv.v...h*.0....J.w.a./..V....i8Wz..>,..r..`J.$.W.E.T..".....j......>C(E.....-....L.S5..4S%s...n...?./..U..a`.2...!.f...`[0..'`......k...4E.......j......X..u.%.MB..'@Hbp...O.ju&<.9).P.`./..V.....m3+T..Z...P..T..(.f.j.R.&.......S...7.q.Pk.....>....V.vZ...PzC..<...x...B..x...]...]..9.......Te.t`...C..x.:P...S........S.ym.R.J.KI..S..P#.m...@u&*......r.j.9.......a..O..bE!.]..R`. .A......s.....t...".c.aQ......@...".|Z...4|4x...U.e.G....XITS......../d..........).hW~.fv.'uz...]....4..4U.sd.../.^^.|.7c^.l.i.lc......L.C.v.!..9....}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):14984
                                                                      Entropy (8bit):7.963743079737347
                                                                      Encrypted:false
                                                                      SSDEEP:384:EoKAYb88kGixm2UHGMmj5AMwz7sdtRlL1x7s4I:EoK/QGGMm0zg7Xsv
                                                                      MD5:F982AC190FAC60A335A7D7EB8A05EEB7
                                                                      SHA1:8BE5F9EB86E19E27B293556272421689FB4C254D
                                                                      SHA-256:F4CE666E9C34E60F093D1DC7DCA1000D6E7C56C25CF19C03729B12E761C98DB3
                                                                      SHA-512:BF17143AB94689470A4A7784FD7D831D48C506F772F6C901D00E7564020054F39707B20D0AA2318F5EB273BB0D8ADF0D4DC48444ED9E095E328EFFBE27BBC740
                                                                      Malicious:false
                                                                      Preview:..^..@{...3.,A..m.......2.?....T....A.#WH......:rM=.K.l. .;.../`&..8l..:eX......>U..m..K.>.B...=e.H.U.....M.;.I..(.+(.v.6...D......o.p.c|.....r!X.....>....9....d.I..Z.R)... .t..Rx.._":KX..d.w..#....q....h..o..7.\l.A.2>.Jj..*...<...8.%.. %..N?>... ..U.)'.K3xvra....J.-.Q...h..<&.h;>..!..j.....v......X.<..fX.....poy..B.@..f&....s.Bx........O.X..`TV...K...r.@.50V.f9..}..9.`..W`.g...>A..Z{.j.).+.-g...$s..3#"..@7<...?..2...!.^8Qz<C.....d.6.M..Y..-X.a....?..Q.0........._.c.aU....e.t........w.....s.>/...SF..1.0.W-@.KnU.x..>..c7<...9. ..R..@#d......U....q..I..G.1.5...(x.).!).2.....?..{)..0.p.}t0B...=i.6.p......( .I$!.."<.|.-..H|......I.v.........~wt.....'...5ZO.... .yk.[.qL...O._.(D.\.<...|.,.H.?.R.-...x.uo..pC~Z..(H7H.8A{..L..*.*.6.... z...>v..z31...4..5...'.j.wo.^....j.H.y...{..g...JO.!.M.M..!...^..F...N....DT....BXB..7.......$....s..".{.ZF.....oJ....7..A#..L..<>...S.........4fl.pQ=JBm...<..*.%.y+..2H+...)..k$=...m...=..:.^"|G.j....X.o.v..O.}.;.I4.).

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):312178
                                                                      Entropy (8bit):7.827206492693161
                                                                      Encrypted:false
                                                                      SSDEEP:6144:ElMcuENrqRb0gXSGSL3Cg6lk8PvqylCJ9cLBmzX:EeaNrmJ2L3CPBlI9cLg7
                                                                      MD5:145949C0568A0E79567471ABBCCCA0B6
                                                                      SHA1:A05E4B37F357B3CDDE8A84D4ED8CAADF122257D3
                                                                      SHA-256:A2550E98F4E2BD5C42CE119EA3B58843E09CD3B69096C792A11489331341A21C
                                                                      SHA-512:792F10D06167BC0AF9AC0039FCD0DE807BCC9DDE53AD3ED7BD3F0ACE721B28954C0C8C1F3CC3F3C9403E35BC9FF3B3599206E09D6B5BEE52B70C118FA8D72B16
                                                                      Malicious:false
                                                                      Preview:j..d......6W...B&....SQ..w2....R:)........@..._(..*....UG....H..H.....N./:....[O.c.L.:?.Ds....D_/...\'..b...EY&.@.A7....v...$.FM&.L...T..1.....c..N...5.........-y`...1...........a*83.~.\.....d..-.u&3..t...A..<'=vr.+.........w:%g.U.:...h.|..<......x.ro.P.z....ts...N%Vh..%.H.;.Q.U.s..|.l.[=...$.TM&.\...T..1.....c..N...5.........-y+....z.D_S....l..)%.I....BP.\.....O...kG.....c.9.....)h.o-.d<qn........#.7...wJLG...x.ro.P.z....ts....n.H..nx..H.;.Q.U.s#.|.L.[=...$.TM&...]..^..S..@X(UPN...5.........-y`...1.._S........C~..4...oLf.&.s.VG...t|...}....(p.g./4.$Uk<qn........h.|..<......x.r$...1.C..?.....n.H..nx....p..h..8..|.[=3IQo4TM&.\...T..1.....c..N...5....4...f.+..`.1..........f..Y...;}2....;....]&.....{.-...Ft..E.......w:%g.U.:..P#.7...w......x.ro.P.z....ts....n.H..nx..H.;.Q...8.S7....v...$.TM&...]..^.......c..N...5.........-y`...1.........9...^_.a@.[.I....c..K..3..G.....J...X.a...e..1[<qn..U.:...h.|..<.....3..$..H1.C?.ts....n.H..nx....p..h..8

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3946
                                                                      Entropy (8bit):7.933968542030117
                                                                      Encrypted:false
                                                                      SSDEEP:96:8RwdOu5EH1Fb89n6FrO/D6eA4xwPmpOWeQK6w46duN:8udOu561FmsK6eA4xlf9MuN
                                                                      MD5:0D415FAA3F069A6B66468C1B38FC3DEE
                                                                      SHA1:AB64788FB0A71828415AE91CD2881F066DC368F5
                                                                      SHA-256:271E6ACD5920B9E44A26CD20060C8DA1CB288DC23BBCFAA920F9DBA56C421EB5
                                                                      SHA-512:77960DD3FAFF3B77759224D603FE61F25397EB7F1938E173703932A31C84EAF479397BEE0F28ABA0B39604BF0EBE138F9EE9158261AA404A5CEC6C95ED4DC8B3
                                                                      Malicious:false
                                                                      Preview:H.8.|...e. .nk0.....3.~..B...V.b...U.....l&zAJe..7!7G.h.I.Mn#'..>!...K>.C..>EH.iG.8h.....N..Ig..9.k...b..m...+....`w<....=}.{.&y..@.t..........x...x....a.s..........Svf.......v.-.hx...F.2qS..M....^...\P.Wb_..........3~.g.@.UHt'.aW. .;a.A.../.T.q....q\.Y....3..X-..<AG.h..%..m...&Z.`G......9....+,.".G.....[3..+...=.....aC#..i.....8Cv....w.,..b.j.XA...x-].%.unn.. 3...*....0(&.<..i@..1.A.A.m7...wj.r.;..x...iB.S\..[..-.*`..Fl...7..h.!B(..3..e.....l5`....jx.h.7k.JE.u......m...3...`....e.r........OCf....w.z(t.3..40b...w........l.D...;^.9....z....g.J.MNza...&6.d..?....Y4.C8~.GZ.pV.D..XL?...9.l.W.z..V...m.....v*iJ...-,.h.hk......Y....[1...3..?....0[4..s.....4."......L....#.....%W..*.U...$.t.7...wYe.ohet.6.\..A.rKL.U.zD..FB...\..b..,Lt"IJ.#m..$.0k.N.+..t...'...b..;...>..U6|`....=*...}/.BE.v.......V...R........D2D.......^dU.....I.$le.b......BW.srQ|1..u\X..(.....!sB..c..%KH..P.|...>!.9.|y.....h.L>!.\..0G.D..Z.;..W*..x[..1..3..V..

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):91806
                                                                      Entropy (8bit):7.9603919287598375
                                                                      Encrypted:false
                                                                      SSDEEP:1536:0xOXeBBWzc8eoFrA0f56Utb1whQN0DjYklpnhgC4XUVTLx4G14riWluWk:0xeeBBWzcNotA0B5IQNdkLnhgCl54G1F
                                                                      MD5:1827A49DB62CF4DDF17639CE8293F8F4
                                                                      SHA1:3F66375565FEDD202801644A2451FBDEA4066432
                                                                      SHA-256:B6F8FC8E3DBF61EBEFB1A73E851E7054E783FBB5BCFDA45EEE259B1923DFBCFF
                                                                      SHA-512:5D406404129A42B9CC99BD8EB912EE3F1C3402F1F8D181E3C28EA9C7CA98C665297D31DF53E9C4A9BC29BDCD52E1B79BA22C0550468D2259DA3BA634FC980563
                                                                      Malicious:false
                                                                      Preview:..P..3...(.....R[w..p..s..3.4.....\?L...e.."E.....0WB..9..$...:e..........:.e,.../...EQ.C.R..t!...c.3..O...w.....W. ...c..b,O.(.....U./...,.l....?....[~...Y6/.......Cuy..^.........W...I...n.y...F...>.'|./WOh2...E+....^Zg...-...p...?,.....U:...^.),..GH...}.....5..bq..p.<r..!...n.h...P ...W.7*ha...5...w...}B.S...uy.T...gn...<g....Cuy......<K.`Q8FF.....|.hX.w..WV..%'}.Amq....=.z.k.&5v...{.....~L..8..{}...[.e5..rH..S1).+.4.N`q..p zO..j..y.d...(a....?.^=._.C2..w...}B...\....<...7T..aX7......c;....h...... 5...Cw. ..Z*.+..r..3.....;(Ce.......k...F..F...&....J..j.......E{..w..&:..PJg.}.V..t!...:r...l...j.b...(....o.qc,O.(....Bv....}B...~.(].T..=y5...........1W...%.....u{[..@.ye."..KwDx..=[...].}..i.WsB.8.W.-...V.5v.....R....*......`7...^.5,..)...qa.f.w..*`=..p.<x......w....LU. ...c.sb...i.fi..9.g...B...m..Z.y..'Xn..cY.......y4....Q..kc.Jw....U)..d... ....@.x..JC&..8..b..!....k...o...`...K.+...{:...H..6.+,...oz.....N`|..p.<u.....Ju....

                                                                      C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):862
                                                                      Entropy (8bit):7.663081861451157
                                                                      Encrypted:false
                                                                      SSDEEP:12:Jr4KgIutFMbJye4Axr4rSw0HPzhLTb3/WtxxiNiC9QnwwXct0Ifki2SfzkDFojJV:t2Re4Yvzx7/Wtmx2MtldfuFRb+Pb
                                                                      MD5:A9A483894B3C4295E9540E60D4ABE178
                                                                      SHA1:CD0A61B96F11B8ECFE34188C438F30F8D6339D95
                                                                      SHA-256:E5B4DD528A179AC37C0A46DF63663547437005752FFB53C1B21722D33F2A9D75
                                                                      SHA-512:2AC88A9D387ECCBF8AC4F7A71048796CC036920E103A43C47CA555A4D7F78AAA264BCC49DCEDF0EE9CA7790B7EA8DD40B5BBC21235DE8AB2AD94BC29BF552D24
                                                                      Malicious:false
                                                                      Preview:.O...."......Vy.d86..........B..../.'SG.X.........k..n...K.M.....|o.N:...9.ALf...r6.mKt...7a.uy\FMr>..../.^.A.y....M.".U...I....u.4..=.y.k..%c...~{.....p(d...E..HxY)..?..B.{+8.....Xq]N..n......a..F9)..NS.W..CM..0.............I..U\.1..N:a...v%#....iw.:in.x..j."YtTZe+...#\b1.-.......>.Ab9..C.....[..Y..1.y.c..%c...~{.....p(d..h1...!.j.a^....-..w+0.....L.P.c...x....t.....J.:..z[.b.K.u.hD}G.-^....I.....|o.N:...pv$#....r6.\.N.X.Y.....54.....L3./.-.....W.%.N..0b...h..*..^......q.V?......@..Pk.......bBqJ..1.....h...7.. }......<..L..~X..#....b4H........u..B...j.....@.....|o.N:...pv%#.....B.1(.....\."^Rv..H...#mb1.y.N.....Z.2.9..C.......y..r.@.N&..c...~{.....b[6..Hx..5.-\.Ll....-..w+0......}o.K........[...8~.w..C.Z1.$....P.....*.....I.....|o.N:...pv%#....r6.\.N.X.Y.....54.J...#]b1.-.......#.L..2.{0..&&0Y..1..y......[...ao.?..

                                                                      C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.funksec

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):1441816
                                                                      Entropy (8bit):7.514168446368041
                                                                      Encrypted:false
                                                                      SSDEEP:12288:OPkwMoOiRSuoU/3yTQKyhR2YmnyTSK1SlcXV4mlxstBy:qgBifoEily2yOK1SlcX6mlxszy
                                                                      MD5:1DF6CAF3AC5ADFC6B108DCF832003F2E
                                                                      SHA1:0D4334894C3B0FDEFF0863F9734801FC32C4ECCC
                                                                      SHA-256:F56C9196068AAAFE35474628F6DF7B32FEC7661776C1E31E6993FC96363C7C17
                                                                      SHA-512:19A11417210F2066CD00D0F2A5C3F768E23462CBAC4FB3040BA873486B95102C0E6078989682731D93F6F4F3C8CA6F5D071BEA9A082CD403C1D13B85393354A6
                                                                      Malicious:false
                                                                      Preview:r6..S..K..F...).9...$._.h_h<...b..l.....+..)k...89..b..rPP.2./'"....}6l.Q..!.W.....C.T-."+.~.z{......L..........].qj`N.Q...j.J0H7....b...n\...R)-...8.c..8.#(ZN........Ite4X:.f..%.h.4....../.>..)....CNk|....}.,...(..>..vN..N&B<...C.Vk.$.}4n....!.W.....C.T-."+.~.zb......L..........].lj`N.Q...j.J0H7....b...n\...R.:....<....R-PY6'.v.......7p-.(..X$.....q.hI..D...h.T..[.b..(.g.v...]@..Ap..z{.p1.&'".{.r3y.2.(".6...Z.3.1YqKE......~p..n+y.].....*... /@..!.....$W;j......T.:.....{a....&..y.w...._x.$.....(\0.3..D.....>......Y.....M(...HR....f.Z.{.....5.h..bfTZ.........T.D:.e..|.....7...;Jj...O.Z6.CP...J..=.....o......+.0...../H.v......g....."zM...Z.rL.9R4muOP =......9F..........+......MW"=F.IH.1.S!$.........k...}..s..oMZS..2/$..z.u..x..U.....z.*.:"Fpn.*.Z+._A..[.i.w....z./.... .......#_&j...#..`..(..7[I...`.8..G<QI.'.}......`..H8..]Q.RF.g.A=r8.=d...J.<b.kD.8..(..u...=......9..'.....AM|7.4/"...p.U..~..n.2...r.-.,]lPJ....6.va..c8c.w....o.>..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlllul3nqth:NllUa
                                                                      MD5:851531B4FD612B0BC7891B3F401A478F
                                                                      SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                      SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                      SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                      Malicious:false
                                                                      Preview:@...e.................................&..............@..........

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_030stu11.qjz.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b53xesxr.cej.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_faahjbkx.efe.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkymcsje.plg.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m41v1urt.srk.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvbzqygb.qyk.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u22pxu1d.loo.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vshxlrte.hdk.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcr3kyty.y1a.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuc50onx.fav.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycfockva.upk.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxnuwjr5.soe.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\Desktop\README-8wyoutVJSA.md

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:Unicode text, UTF-8 text
                                                                      Category:dropped
                                                                      Size (bytes):1636
                                                                      Entropy (8bit):5.202597135655108
                                                                      Encrypted:false
                                                                      SSDEEP:48:WXufmCFpWyj/E2RUFKUn1R7ARj7qQXPHrHATBbB:W4mOp7o2SFKUn1WeQfLATB9
                                                                      MD5:2C97DAB34E4AB7F089F0811866C7784D
                                                                      SHA1:7C526F204D066FC5E1C59EB765F42F7B363F74BC
                                                                      SHA-256:3583C0EB329CA6499C64EF5E84F7F888AEF5BF2892F73145DA9A75E336D56657
                                                                      SHA-512:AE8B3E3083098E124397DA4E0DF6779A6D745FB1388D656F530C052906B06B6C1B895D01AAD371EAB24988F4E379E98379959F9966EE9631200D5C6937AAA0E3
                                                                      Malicious:false
                                                                      Preview:.# .. Funksec V1.5 ..... **Congratulations** . Your organization, device has been successfully infiltrated by funksec ransomware!..## .. **Stop**.- Do NOT attempt to tamper with files or systems..- Do NOT contact law enforcement or seek third-party intervention..- Do NOT attempt to trace funksec's activities...## .. **What happened**.- your files encrypted by funksec ransomware, becarfull to play or try dercrypt the files becouse you just will lose it more..- We stole all your data..- No anti-virus will restore it; this is an advanced ransomware..- your data will be leaked if you don't pay ransom..## .. **Ransom Details**.- Decryptor exe fee: **0.1 BTC**.- Bitcoin wallet address: `bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq`.- Payment instructions:. 1. Buy 0.1 bitcoin.. 2. Install session from: https://getsession.org/. 3. Contact us with this ID to receive the decryptor: 0538d726ae3cc264c1bd8e66c6c6fa366a3dfc589567944170001e6fdbea9efb3d..## .. **How to buy bitcoin**.-

                                                                      C:\Users\user\Desktop\downloaded_wallpaper.jpg

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 696x516, components 3
                                                                      Category:dropped
                                                                      Size (bytes):25447
                                                                      Entropy (8bit):7.009816137563603
                                                                      Encrypted:false
                                                                      SSDEEP:384:icpk7sPEFPLY2xiy7JDk0Ot+A+AedexytJ0e:i5NLY20y75fO8A+HexyL
                                                                      MD5:D10E302877008B2567890DE25F6D3711
                                                                      SHA1:318D25D53DCD8765D79C6CEF07A6AEA72A4BF76F
                                                                      SHA-256:EA627D5499996BDA0BDEF215B41FF4353BC9E9C6886AF45115D5EC5E170EAD93
                                                                      SHA-512:173A2F5F2357E44D9A7C7E29D089AB81CC61495830CFBD40506B66992F41652CC7691E64CB7D4597F323C4B12EC96B0B5BD61BEDE4D0A69CACDCE56D0E4AE761
                                                                      Malicious:false
                                                                      Preview:......JFIF................................C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222.....................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32+ executable (console) x86-64, for MS Windows
                                                                      Entropy (8bit):6.23993361393518
                                                                      TrID:
                                                                      • Win64 Executable Console (202006/5) 92.65%
                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:wuknbFMdeq.exe
                                                                      File size:5'484'032 bytes
                                                                      MD5:73744280fb8e7db578c9303b7620fb16
                                                                      SHA1:082258d125f9fb3ea080da1b1fa86bf0a0302cd8
                                                                      SHA256:00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c
                                                                      SHA512:6dff7eba43088f64f070133d85ba5861b796b34ee770561f2fea9501f2792bd620387d7d4c0ad21fbea6e410aef59cf7d29cb0807662883d6baae146fc4e423e
                                                                      SSDEEP:49152:d0EXb1TLA+w5C9qnQq9/7xmspwRURBa77dr5dYqBB42u11vtdHeE/90stTDw6xX1:M5C9YnCgHe+3IxbhVJIj59
                                                                      TLSH:7A463A22BB5A99ADC49AC0B0835687B2697134CB0B3579FF44C446783E6DAF42F3C758
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d....<|g.........."

                                                                      File Icon

                                                                      Icon Hash:00928e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x14036bc0c
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x140000000
                                                                      Subsystem:windows cui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x677C3C99 [Mon Jan 6 20:27:05 2025 UTC]
                                                                      TLS Callbacks:0x40352bc0, 0x1
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:d7504b2e9d234efaa447a2dba2cc1ee3

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      call 00007F97F8899638h
                                                                      dec eax
                                                                      add esp, 28h
                                                                      jmp 00007F97F8899257h
                                                                      int3
                                                                      int3
                                                                      jmp 00007F97F88999D8h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      call 00007F97F8899CA0h
                                                                      test eax, eax
                                                                      je 00007F97F8899403h
                                                                      dec eax
                                                                      mov eax, dword ptr [00000030h]
                                                                      dec eax
                                                                      mov ecx, dword ptr [eax+08h]
                                                                      jmp 00007F97F88993E7h
                                                                      dec eax
                                                                      cmp ecx, eax
                                                                      je 00007F97F88993F6h
                                                                      xor eax, eax
                                                                      dec eax
                                                                      cmpxchg dword ptr [001A163Ch], ecx
                                                                      jne 00007F97F88993D0h
                                                                      xor al, al
                                                                      dec eax
                                                                      add esp, 28h
                                                                      ret
                                                                      mov al, 01h
                                                                      jmp 00007F97F88993D9h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      test ecx, ecx
                                                                      jne 00007F97F88993E9h
                                                                      mov byte ptr [001A1625h], 00000001h
                                                                      call 00007F97F889998Dh
                                                                      call 00007F97F88996A0h
                                                                      test al, al
                                                                      jne 00007F97F88993E6h
                                                                      xor al, al
                                                                      jmp 00007F97F88993F6h
                                                                      call 00007F97F8899693h
                                                                      test al, al
                                                                      jne 00007F97F88993EBh
                                                                      xor ecx, ecx
                                                                      call 00007F97F8899688h
                                                                      jmp 00007F97F88993CCh
                                                                      mov al, 01h
                                                                      dec eax
                                                                      add esp, 28h
                                                                      ret
                                                                      int3
                                                                      int3
                                                                      inc eax
                                                                      push ebx
                                                                      dec eax
                                                                      sub esp, 20h
                                                                      cmp byte ptr [001A15ECh], 00000000h
                                                                      mov ebx, ecx
                                                                      jne 00007F97F8899449h
                                                                      cmp ecx, 01h
                                                                      jnbe 00007F97F889944Ch
                                                                      call 00007F97F8899C16h
                                                                      test eax, eax
                                                                      je 00007F97F889940Ah
                                                                      test ebx, ebx
                                                                      jne 00007F97F8899406h
                                                                      dec eax
                                                                      lea ecx, dword ptr [001A15D6h]
                                                                      call 00007F97F8899CE8h
                                                                      test eax, eax
                                                                      jne 00007F97F88993F2h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [IMP] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5083840x17c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50e0000x28d88.pdata
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5370000x614c.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x4779900x54.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x477a000x28.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4778500x140.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x37e0000x660.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x37cb3f0x37cc007a4280ac0ff1c92ffe1488b22f663bb2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x37e0000x18bb100x18bc0036909f178de4699aea6eeaa2ff768761False0.2624244906822489data5.389744458281997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x50a0000x33100x32005bd0672333f019feac5a3b506b30a328False0.160390625data2.375928556954518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .pdata0x50e0000x28d880x28e002b7def9f92a2c47e9bb7f43fda3c20caFalse0.5000776471712538data6.4182462870283965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x5370000x614c0x6200d8c50222848008175c494a5a07709729False0.4296077806122449data5.452538760508652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Imports

                                                                      DLLImport
                                                                      api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                      bcryptprimitives.dllProcessPrng
                                                                      kernel32.dllGetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SetHandleInformation, GetSystemTimeAsFileTime, InitializeSListHead, lstrlenW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, DuplicateHandle, CreateWaitableTimerExW
                                                                      ws2_32.dllsend, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
                                                                      user32.dllSystemParametersInfoW
                                                                      shell32.dllSHGetKnownFolderPath
                                                                      ole32.dllCoTaskMemFree
                                                                      advapi32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey, SystemFunction036
                                                                      secur32.dllAcquireCredentialsHandleA, DeleteSecurityContext, DecryptMessage, QueryContextAttributesW, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, ApplyControlToken, EncryptMessage, FreeCredentialsHandle
                                                                      crypt32.dllCertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
                                                                      ntdll.dllNtCancelIoFileEx, NtCreateFile, NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
                                                                      bcrypt.dllBCryptGenRandom
                                                                      VCRUNTIME140.dllmemcmp, __current_exception_context, memmove, __current_exception, memset, __CxxFrameHandler3, memcpy, _CxxThrowException, __C_specific_handler
                                                                      api-ms-win-crt-math-l1-1-0.dllroundf, pow, round, exp2f, truncf, ceil, powf, __setusermatherr
                                                                      api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
                                                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                      api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 13, 2025 07:22:11.038280010 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.038320065 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.038398981 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.090539932 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.090567112 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.670286894 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.670507908 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.675240040 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.675247908 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.675498009 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.753668070 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.799319983 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.851771116 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.851995945 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852067947 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.852070093 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852098942 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852232933 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.852241039 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852813959 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852865934 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.852873087 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.852965117 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.853008986 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.853015900 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.853423119 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.853472948 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.853480101 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.866772890 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.869616032 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.869623899 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.918798923 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.944454908 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.944653034 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.944746017 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.944833994 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.944910049 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.944916964 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.944926023 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.945014954 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945097923 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945146084 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.945151091 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945338011 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945390940 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.945395947 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945434093 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.945498943 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.945607901 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.946005106 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.946016073 CET44349704199.232.192.193192.168.2.5
                                                                      Jan 13, 2025 07:22:11.946202040 CET49704443192.168.2.5199.232.192.193
                                                                      Jan 13, 2025 07:22:11.946206093 CET44349704199.232.192.193192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 13, 2025 07:22:10.939371109 CET6281453192.168.2.51.1.1.1
                                                                      Jan 13, 2025 07:22:10.946787119 CET53628141.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jan 13, 2025 07:22:10.939371109 CET192.168.2.51.1.1.10xcb8bStandard query (0)i.imgur.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jan 13, 2025 07:22:10.946787119 CET1.1.1.1192.168.2.50xcb8bNo error (0)i.imgur.comipv4.imgur.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 13, 2025 07:22:10.946787119 CET1.1.1.1192.168.2.50xcb8bNo error (0)ipv4.imgur.map.fastly.net199.232.192.193A (IP address)IN (0x0001)false
                                                                      Jan 13, 2025 07:22:10.946787119 CET1.1.1.1192.168.2.50xcb8bNo error (0)ipv4.imgur.map.fastly.net199.232.196.193A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • i.imgur.com

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549704199.232.192.1934436180C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-13 06:22:11 UTC62OUTGET /HCYQoVR.jpeg HTTP/1.1
                                                                      accept: */*
                                                                      host: i.imgur.com
                                                                      2025-01-13 06:22:11 UTC762INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      Content-Length: 28864
                                                                      Content-Type: image/jpeg
                                                                      Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT
                                                                      ETag: "70f83e99427ac54b92283eaecb69c5df"
                                                                      x-amz-server-side-encryption: AES256
                                                                      X-Amz-Cf-Pop: IAD89-P1
                                                                      X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA==
                                                                      cache-control: public, max-age=31536000
                                                                      Accept-Ranges: bytes
                                                                      Age: 1113895
                                                                      Date: Mon, 13 Jan 2025 06:22:11 GMT
                                                                      X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740076-EWR
                                                                      X-Cache: Miss from cloudfront, HIT, HIT
                                                                      X-Cache-Hits: 85, 0
                                                                      X-Timer: S1736749332.805923,VS0,VE1
                                                                      Strict-Transport-Security: max-age=300
                                                                      Access-Control-Allow-Methods: GET, OPTIONS
                                                                      Access-Control-Allow-Origin: *
                                                                      Server: cat factory 1.0
                                                                      X-Content-Type-Options: nosniff
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93
                                                                      Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4
                                                                      Data Ascii: UCt5?=g:*25eVbyi:pm=S*V<OC|4jN1o?Pjs*yOsj<PW^V-vk.2K"Dt%J]Ux*j]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d
                                                                      Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd
                                                                      Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39
                                                                      Data Ascii: N{/^R#]jg'Jq_Wm*WqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~c*m/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77
                                                                      Data Ascii: ]/%Zy} A^CEu6[4$T*Y26e;2m=j*-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=X*J:Wiq&`{UG!>Cjq*O&JW-4VFeU{]]cdXTn<w
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66
                                                                      Data Ascii: .$u-GxpJRV8 ;ISIBfV*YY/qbc.9Pz|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;|9^.ne1+&VJ>__"r*,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15
                                                                      Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71
                                                                      Data Ascii: a1S'iYe*KTD3"R6>=!<|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju*']:yn-u724_dfFFzf"%X02Y\q
                                                                      2025-01-13 06:22:11 UTC1371INData Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3
                                                                      Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:01:21:58
                                                                      Start date:13/01/2025
                                                                      Path:C:\Users\user\Desktop\wuknbFMdeq.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\wuknbFMdeq.exe"
                                                                      Imagebase:0x7ff77adc0000
                                                                      File size:5'484'032 bytes
                                                                      MD5 hash:73744280FB8E7DB578C9303B7620FB16
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\net.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"net" session
                                                                      Imagebase:0x7ff76ef50000
                                                                      File size:59'904 bytes
                                                                      MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\net1.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\net1 session
                                                                      Imagebase:0x7ff6515b0000
                                                                      File size:183'808 bytes
                                                                      MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"tasklist" /fi "IMAGENAME eq vmware"
                                                                      Imagebase:0x7ff6da120000
                                                                      File size:106'496 bytes
                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"powershell" -Command "wevtutil sl Security /e:false"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"powershell" -Command "wevtutil sl Application /e:false"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:01:21:59
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:01:22:01
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\wevtutil.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\wevtutil.exe" sl Application /e:false
                                                                      Imagebase:0x7ff61abf0000
                                                                      File size:278'016 bytes
                                                                      MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:01:22:01
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\wevtutil.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\wevtutil.exe" sl Security /e:false
                                                                      Imagebase:0x7ff61abf0000
                                                                      File size:278'016 bytes
                                                                      MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:01:22:05
                                                                      Start date:13/01/2025
                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                      Imagebase:0x7ff6ef0c0000
                                                                      File size:496'640 bytes
                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Non-executed Functions

                                                                        Function 00007FF77B12BE68 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2216520438.00007FF77ADC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77ADC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.2216501555.00007FF77ADC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B13E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B1DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B1E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B1EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B1F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216756279.00007FF77B219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216973436.00007FF77B2CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2216994551.00007FF77B2CB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2217013426.00007FF77B2CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2217037231.00007FF77B2CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff77adc0000_wuknbFMdeq.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                        • String ID:
                                                                        • API String ID: 2933794660-0
                                                                        • Opcode ID: 3071f2becf7132e51ba8a51fd487898529ce6a3a808eea01c9b68c6410683503
                                                                        • Instruction ID: 0a5ee56e8feddf3b5e215d7dbcf93194a9f33836e83283eaa301c5b88c154a73
                                                                        • Opcode Fuzzy Hash: 3071f2becf7132e51ba8a51fd487898529ce6a3a808eea01c9b68c6410683503
                                                                        • Instruction Fuzzy Hash: 71115133B25F058AEB00DF64E8442B873A4F719758F840E31DA1D477A8DF78D1588350

                                                                        Executed Functions

                                                                        Function 00007FF848E833B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2122271192.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction ID: a525311bf5e0898e04d495dce5ac7619facc0d09e4621ee5b042099af78d6db2
                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction Fuzzy Hash: E701677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E882CB45