Edit tour

Windows Analysis Report
3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe

Overview

General Information

Sample Name:3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
Analysis ID:886296
MD5:3a11441161f1aa4369106ee9c9ae437b
SHA1:9715f96ae122e642fef7369f9041f519c12709eb
SHA256:6b361cbcc4d5c89d751e3d5509df36433af662c2bdd4e83aecddc1e713b3400b
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Installs a raw input device (often for capturing keystrokes)
Tries to load missing DLLs
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64native
  • 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe (PID: 8340 cmdline: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe MD5: 3A11441161F1AA4369106EE9C9AE437B)
    • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    Process Memory Space: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe PID: 8340JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      Exploits

      barindex
      Source: Yara matchFile source: 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe PID: 8340, type: MEMORYSTR
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmp, 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.com
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.com&
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.com:
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmp, 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.com?access-token=qwrewkotnoqinrio3unroqwrewkotnoqinrio3unroqwrewkotnoqinrio3unroqwre
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.comF
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.comT
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.comZ
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.comd
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.site.comz
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issues
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issues/root/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.1
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issues/rustc/f03ce30962cf1b2a5158667eabae8bf6e8d1cb03
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issuesKeykey
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/rust-lang/rust/issues/39364
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/rust-lang/rust/issues/39364h
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/rust-lang/rust/issues/39364p
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.torproject.org/
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000003.57454287590.00000000188C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\autoit3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: vssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeSection loaded: edgegdi.dllJump to behavior
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:304:WilStaging_02
      Source: classification engineClassification label: mal52.rans.expl.winEXE@2/0@0/0
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeFile read: C:\Program Files\Mozilla Firefox\application.iniJump to behavior
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic file information: File size 22715392 > 1048576
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1045a00
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1adc00
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Raw size of .eh_fram is bigger than: 0x100000 < 0x19ec00
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: Raw size of .reloc is bigger than: 0x100000 < 0x1cb600
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeStatic PE information: section name: .eh_fram
      Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 513Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeBinary or memory string: j"hgfS
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\00000000-container.dat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\10000000-container.dat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\DP45977C.lfl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\20000000-previous.jsonlz4 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.dat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\30000000-RUXIMLog.029.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoIt v3 Website.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoIt.chm VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\AppXManifest.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\FileSystemMetadata.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Mozilla\profile_count_308046B0AF4A39CB.json VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\ThinAppXManifest.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_98ddf9a3-d13b-45e1-acb4-2c841d46f02f.json VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Mozilla\UpdateLock-308046B0AF4A39CB VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\Accessible.tlb VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\application.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\crashreporter.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\ntuser.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\defaultagent.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\defaultagent_localized.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\dir0000.chk\scriptCache-child-current.bin VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\found.000\dir0000.chk\scriptCache-current.bin VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\COPYRIGHT VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\dependentlibs.list VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-03.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-14.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\LICENSE VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\firefox.exe.sig VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-22.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\README.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\release VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-30.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.chm VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\install.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\THIRDPARTYLICENSEREADME-JAVAFX.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2022-01-20.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.psd1 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\Logs\IntelCPHS.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\installation_telemetry.json VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\OSSNotice.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2022-02-23.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\THIRDPARTYLICENSEREADME.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\locale.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\calculator.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Google\Update\GoogleUpdate.bk VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\Welcome.html VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.h VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-25.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\omni.ja VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\count-do.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.lib VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\platform.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-26.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\count-for.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_x64_DLL.lib VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-30.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\count-while.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\au3.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\plugin-container.exe.sig VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\functions.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\gcc_svc_log_2023-06-12.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\RUXIMDisplay.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Extras\_ReadMe_.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\analysistimer.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\precomplete VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\inputbox.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\au3script_v10.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\RUXIMSynchronization.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIComConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\removed-files VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Intel\GCC\IGCCSvc.db VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\msgbox.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\au3script_v11.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\notepad1.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\update-settings.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Google\Chrome\Application\master_preferences VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\au3script_v9.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIDiagConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\notepad2.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\updater.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIDlgConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\filetype-blank.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\_ReadMe_.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\xul.dll.sig VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIErrorsConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\setup\refcount.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIFilesConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Green.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\Office16\OSPP.HTM VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIGdiConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\Office16\OSPP.VBS VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Red.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\root\c2rx.sccd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APILocaleConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\Office16\SLERROR.XML VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Yellow.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\Office16\vNextDiag.ps1 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIMiscConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIProcConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIRegConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\jDownloader\config\database.script VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIResConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIShellExConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIShPathConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\AQRFEVRTGL.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APISysConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\AQRFEVRTGL.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\AQRFEVRTGL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\APIThemeConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\AQRFEVRTGL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Bing.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\BXAJUJAOEO.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Array.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\BXAJUJAOEO.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\BXAJUJAOEO.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ArrayDisplayInternals.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\BXAJUJAOEO.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\af-ZA\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Google.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\BXAJUJAOEO.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\BXAJUJAOEO.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\AutoItConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Live.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\GLTYDMDUST.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\GLTYDMDUST.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\GLTYDMDUST.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\HMPPSXQPQV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ar\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\HMPPSXQPQV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\HMPPSXQPQV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\AVIConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\IZMFBFKMEB.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\IZMFBFKMEB.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\IZMFBFKMEB.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\BorderConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\az-Latn-AZ\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\LFOPODGVOH.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ButtonConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\LFOPODGVOH.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\LFOPODGVOH.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\LFOPODGVOH.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\LFOPODGVOH.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Favorites\Youtube.url VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\LFOPODGVOH.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Clipboard.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\LIJDSFKJZG.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Color.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\LIJDSFKJZG.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\LIJDSFKJZG.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Brighten Video.man.igpi VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ColorConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\LIJDSFKJZG.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\NIRMEKAMZH.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\bg\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\NIRMEKAMZH.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ComboConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\QFAPOWPAFG.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Darken Video.man.igpi VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\NIRMEKAMZH.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\QFAPOWPAFG.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\SNIPGPPREP.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Constants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Enhance Video Colors.man.igpi VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\QFAPOWPAFG.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\SNIPGPPREP.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\UNKRLCVOHV.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\corporate.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\SNIPGPPREP.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\UNKRLCVOHV.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Crypt.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\UNKRLCVOHV.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v10_256x256_RGB-A.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\bs-Latn-BA\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\UNKRLCVOHV.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\UNKRLCVOHV.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\CUIAutomation2.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Downloads\WSHEJMDVQC.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v10_48x48_256.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Date.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\UNKRLCVOHV.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v10_48x48_RGB-A.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Desktop\WSHEJMDVQC.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\DateTimeConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v11_256x256_RGB-A.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ca-ES\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Debug.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Documents\WSHEJMDVQC.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\cs\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v9_48x48_256.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\DirConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v9_48x48_RGB-A.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\EditConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\cy-GB\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Old1.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\Public\Libraries\RecordedTV.library-ms VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\EventLog.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\browser\omni.ja VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Old2.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\da\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Excel.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Old3.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\de\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ExcelConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\el-GR\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Old4.ico VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\File.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\en-GB\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\FileConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP01.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\en-US\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\es\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\FontConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP02.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\es-MX\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\eu-ES\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\et\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\FrameConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP03.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\FTPEx.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP04.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\fa-IR\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\fi\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\fr\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\fr-CA\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GDIPlus.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP05.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\gl-ES\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GDIPlusConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP06.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\he\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiAVI.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP07.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\hr\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiButton.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP08.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiComboBox.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\hu\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP09.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiComboBoxEx.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-1.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP10.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\bin\javacpl.cpl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\ar-sa\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\id\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GUIConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-2.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\accessibility.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP11.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GUIConstantsEx.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\SETUP12.ICO VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\calendars.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiDateTimePicker.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\bg-bg\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\is-IS\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiEdit.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\charsets.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Users\user\Searches\winrt--{S-1-5-21-3425316567-2969588382-3778222414-1001}-.searchconnector-ms VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\cs-sz\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiHeader.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\classlist VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\it\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\da-dk\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ja\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiImageList.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\content-types.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiIPAddress.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\de-de\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.004.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\currency.data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ka-GE\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\el-gr\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiListBox.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\kk-KZ\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.005.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ko\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\deploy.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\lt\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.006.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\flavormap.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiMenu.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.007.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\lv\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\fontconfig.bfc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiMonthCal.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\en-gb\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.008.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ms-MY\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\fontconfig.properties.src VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiReBar.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.009.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\en-us\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.010.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\hijrah-config-umalqura.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\nb\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\es-es\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiRichEdit.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.011.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\nl\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\et-ee\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiScrollBars.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\es-mx\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\javafx.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.012.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\nn-NO\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\fi-fi\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiSlider.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.013.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\javaws.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiStatusBar.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.014.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\jce.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\fr-ca\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiTab.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\fr-fr\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\he-il\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.015.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiToolbar.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\pl\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\jfr.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.016.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiToolTip.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\hr-hr\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\pt\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\hu-hu\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\jfxswt.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\pt-PT\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.017.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\META-INF\cose.manifest VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\jsse.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.018.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\HeaderConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ro\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\META-INF\cose.sig VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\ru\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\it-it\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.019.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\helper.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\jvm.hprof.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\META-INF\manifest.mf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sk\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.020.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\htmlfetcher.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\ja-jp\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\META-INF\mozilla.rsa VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\logging.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\AutoItX-test.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.021.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\htmlfetcherchrome.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\Mozilla Firefox\META-INF\mozilla.sf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\management-agent.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ErrorEventTest-ADSI.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\ko-kr\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\IE.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.022.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sl\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ErrorEventTest-WMI.AU3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\meta-index VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ImageListConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.001.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.023.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sq-AL\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\EventTest-IE6.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Inet.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.002.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\lt-lt\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.024.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\net.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\EventTest-SAPI.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\InetConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.003.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.025.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\plugin.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\EventTest-ShellWindows.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Extras\AutoUpdateIt\AutoUpdateIt.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\IPAddressConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.004.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\lv-lv\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.026.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sr-latn\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\psfont.properties.ja VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\EventTest-WMI.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\keylogger.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.005.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.027.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\psfontj2d.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ExcelAutomationTest.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ListBoxConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.028.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\th\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\nb-no\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.006.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\sv\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\resources.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ExcelDataTest.AU3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\ListViewConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.007.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\liveprocess.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\rt.jar VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ExcelFastTest.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.029.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Math.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\tr-TR\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\nl-nl\RUXIMUXResources.dll.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.030.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\MathConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.009.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Extras\Editors\_ReadMe_.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ExcelFileTest.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\sound.properties VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\Memory.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.010.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\ExcelGetObjTest.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\tzdb.dat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.031.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\MemoryConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.011.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Extras\Geshi\autoit.php VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\FileSearchTest.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\Java\jre1.8.0_301\lib\tzmappings VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\PCHealthCheck\uk\PCHealthCheck.exe.mui VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.032.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Include\MenuConstants.au3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files\ruxim\Logs\RUXIMLog.013.etl VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\getHTMLsource.au3 VolumeInformationJump to behavior
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      1
      Process Injection
      1
      Disable or Modify Tools
      11
      Input Capture
      1
      Security Software Discovery
      Remote Services11
      Input Capture
      Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      1
      Process Injection
      LSASS Memory1
      Application Window Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager1
      File and Directory Discovery
      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      File Deletion
      NTDS11
      System Information Discovery
      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 886296 Sample: 3gonhm4wuGItR3fA4wcIUFDA54e... Startdate: 13/06/2023 Architecture: WINDOWS Score: 52 10 Yara detected UAC Bypass using CMSTP 2->10 12 Deletes shadow drive data (may be related to ransomware) 2->12 6 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version

      windows-stand
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://www.site.comT0%Avira URL Cloudsafe
      http://www.site.comd0%Avira URL Cloudsafe
      http://www.site.comF0%Avira URL Cloudsafe
      http://www.site.com&0%Avira URL Cloudsafe
      http://www.site.comZ0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.site.comd3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://github.com/clap-rs/clap/issuesKeykey3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
        high
        http://www.site.com&3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        low
        http://www.site.comF3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://github.com/rust-lang/rust/issues/39364p3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
          high
          http://www.site.com:3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://www.site.comZ3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.site.comz3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              https://github.com/clap-rs/clap/issues/root/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.13gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                high
                http://www.site.com3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020C4000.00000004.00000020.00020000.00000000.sdmp, 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  http://www.site.comT3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://github.com/rust-lang/rust/issues/39364h3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                    high
                    https://www.torproject.org/3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                      high
                      https://github.com/clap-rs/clap/issues3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                        high
                        https://github.com/clap-rs/clap/issues/rustc/f03ce30962cf1b2a5158667eabae8bf6e8d1cb033gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                          high
                          https://docs.rs/getrandom#nodejs-es-module-supportCalling3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                            high
                            https://github.com/rust-lang/rust/issues/393643gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmpfalse
                              high
                              http://www.site.com?access-token=qwrewkotnoqinrio3unroqwrewkotnoqinrio3unroqwrewkotnoqinrio3unroqwre3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.000000000204E000.00000004.00000020.00020000.00000000.sdmp, 3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe, 00000006.00000002.57486774182.00000000020F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                No contacted IP infos
                                Joe Sandbox Version:37.1.0 Beryl
                                Analysis ID:886296
                                Start date and time:2023-06-13 00:50:11 +02:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 26s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample file name:3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
                                Detection:MAL
                                Classification:mal52.rans.expl.winEXE@2/0@0/0
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240s for sample files taking high CPU consumption
                                • Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.190.159.23, 40.126.31.71, 40.126.31.67, 20.190.159.75, 20.190.159.71, 20.190.159.4, 20.190.159.0, 40.126.31.73
                                • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, prdv4a.aadg.msidentity.com, login.live.com, tile-service.weather.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wdcp.microsoft.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                • Report size getting too big, too many NtReadFile calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                No simulations
                                No context
                                No context
                                No context
                                No context
                                No context
                                No created / dropped files found
                                File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                Entropy (8bit):6.982878919342371
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.53%
                                • InstallShield setup (43055/19) 0.43%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
                                File size:22715392
                                MD5:3a11441161f1aa4369106ee9c9ae437b
                                SHA1:9715f96ae122e642fef7369f9041f519c12709eb
                                SHA256:6b361cbcc4d5c89d751e3d5509df36433af662c2bdd4e83aecddc1e713b3400b
                                SHA512:b446731eab5a40c9186b310e64bdd003980534d9cbe5fcddf36743af1271d70b67da7aff6898ada0060fd7eaa8230ca34ecb912df5533e009367d64f8bfa8a6a
                                SSDEEP:393216:RZ5xJpmMjmzEg4ATBEzDg5qK4cnYwCr+y5vRLWFXnI5:3fJLjmEz85qK4cqfxWFXny
                                TLSH:AC378C69E88B6ABCE67F60B074BEF730AD94095850175C3BC98ACD72A24E7713C4C51B
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...............&.Z....Z..............p....@...........................[.....[`[...@... ............................
                                Icon Hash:90cececece8e8eb0
                                Entrypoint:0x4014c0
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x64878ACF [Mon Jun 12 21:14:55 2023 UTC]
                                TLS Callbacks:0x128ebf0, 0x12f3f10, 0x12f3ec0
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:85ef7318bb835aa46c61c78ecdfc6748
                                Instruction
                                mov dword ptr [017DF284h], 00000000h
                                jmp 00007FD168500D36h
                                nop
                                sub esp, 1Ch
                                mov eax, dword ptr [esp+20h]
                                mov dword ptr [esp], eax
                                call 00007FD1693EDA0Eh
                                test eax, eax
                                sete al
                                add esp, 1Ch
                                movzx eax, al
                                neg eax
                                ret
                                nop
                                nop
                                nop
                                push ebp
                                mov ebp, esp
                                push edi
                                push esi
                                push ebx
                                sub esp, 1Ch
                                mov dword ptr [esp], 015F5000h
                                call dword ptr [017E0810h]
                                sub esp, 04h
                                test eax, eax
                                je 00007FD168501105h
                                mov ebx, eax
                                mov dword ptr [esp], 015F5000h
                                call dword ptr [017E0860h]
                                mov edi, dword ptr [017E0820h]
                                sub esp, 04h
                                mov dword ptr [017DE020h], eax
                                mov dword ptr [esp+04h], 015F5013h
                                mov dword ptr [esp], ebx
                                call edi
                                sub esp, 08h
                                mov esi, eax
                                mov dword ptr [esp+04h], 015F5029h
                                mov dword ptr [esp], ebx
                                call edi
                                mov dword ptr [01447004h], eax
                                sub esp, 08h
                                test esi, esi
                                je 00007FD1685010A3h
                                mov dword ptr [esp+04h], 017DE024h
                                mov dword ptr [esp], 0163F000h
                                call esi
                                mov dword ptr [esp], 004015A0h
                                call 00007FD168500FF3h
                                lea esp, dword ptr [ebp-0Ch]
                                pop ebx
                                pop esi
                                pop edi
                                pop ebp
                                ret
                                lea esi, dword ptr [esi+00000000h]
                                mov dword ptr [01447004h], 0000DA90h
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13e00000x275c.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13e50000x1cb418.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x12390a40x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x13e065c0x51c.idata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x10459ec0x1045a00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0x10470000x1adbb80x1adc00False0.80909935827516data7.91022043406975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0x11f50000x493800x49400False0.4518718003412969data5.9819277008475185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .eh_fram0x123f0000x19eb0c0x19ec00False0.23923191210819772data4.563177237876423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .bss0x13de0000x12e00x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata0x13e00000x275c0x2800False0.32783203125MIPSEB-LE MIPS-III ECOFF executable stripped - version 1.625.320336406114727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .CRT0x13e30000x380x200False0.08203125Matlab v4 mat-file (little endian) \240>/\001, numeric, rows 4198704, columns 00.4053469431336201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .tls0x13e40000x80x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .reloc0x13e50000x1cb4180x1cb600False0.638719175170068data6.813960267469732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                DLLImport
                                ntdll.dllNtOpenProcessToken, NtQueryInformationToken, RtlCaptureContext
                                advapi32.dllAddAccessAllowedAceEx, AddAce, AdjustTokenPrivileges, AllocateLocallyUniqueId, CloseServiceHandle, ControlService, ConvertSidToStringSidW, CopySid, CreateProcessAsUserW, CreateProcessWithLogonW, CreateProcessWithTokenW, CreateServiceW, DuplicateTokenEx, EnumDependentServicesW, EnumServicesStatusExW, GetAce, GetAclInformation, GetLengthSid, GetSecurityDescriptorDacl, GetTokenInformation, GetUserNameW, ImpersonateLoggedOnUser, InitializeAcl, InitializeSecurityDescriptor, LogonUserW, LookupPrivilegeValueW, LsaNtStatusToWinError, OpenProcessToken, OpenSCManagerW, OpenServiceW, OpenThreadToken, PrivilegeCheck, QueryServiceStatusEx, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RevertToSelf, SetSecurityDescriptorDacl, SetThreadToken, SystemFunction036
                                bcrypt.dllBCryptGenRandom
                                kernel32.dllAcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, CancelIo, CloseHandle, CompareStringOrdinal, CopyFileExW, CreateConsoleScreenBuffer, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateMutexA, CreateNamedPipeW, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateToolhelp32Snapshot, DeleteFileW, DeviceIoControl, DuplicateHandle, ExitProcess, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, FindClose, FindFirstFileW, FindFirstVolumeW, FindNextFileW, FindNextVolumeW, FindVolumeClose, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetComputerNameExW, GetComputerNameW, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFinalPathNameByHandleW, GetFullPathNameW, GetLargestConsoleWindowSize, GetLastError, GetLogicalDrives, GetLogicalProcessorInformation, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNumberOfConsoleInputEvents, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetTimeZoneInformation, GetVolumePathNamesForVolumeNameW, GetWindowsDirectoryW, HeapAlloc, HeapFree, HeapReAlloc, IsWow64Process, LoadLibraryA, LocalFree, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, OpenProcess, Process32FirstW, Process32NextW, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleInputW, ReadConsoleW, ReadFile, ReadFileEx, ReadProcessMemory, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RemoveDirectoryW, SetConsoleActiveScreenBuffer, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleScreenBufferSize, SetConsoleTextAttribute, SetConsoleWindowInfo, SetCurrentDirectoryW, SetEnvironmentVariableW, SetFileAttributesW, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetVolumeMountPointW, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TzSpecificLocalTimeToSystemTime, UnmapViewOfFile, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, Wow64DisableWow64FsRedirection, WriteConsoleW, WriteFileEx, lstrlenW
                                netapi32.dllNetApiBufferFree, NetServerEnum, NetShareEnum
                                ole32.dllCoCreateGuid, CoGetObject, CoInitializeEx, CoUninitialize
                                oleaut32.dllGetErrorInfo, SetErrorInfo, SysAllocStringLen, SysFreeString, SysStringLen
                                rstrtmgr.dllRmEndSession, RmGetList, RmRegisterResources, RmStartSession
                                secur32.dllLsaConnectUntrusted, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
                                shell32.dllSHTestTokenMembership
                                user32.dllGetForegroundWindow, GetKeyboardLayout, GetProcessWindowStation, GetUserObjectInformationW, GetUserObjectSecurity, GetWindowThreadProcessId, OpenDesktopW, SetUserObjectSecurity, ToUnicodeEx
                                userenv.dllGetUserProfileDirectoryW
                                ws2_32.dllWSACleanup, WSADuplicateSocketW, WSAGetLastError, WSARecv, WSASend, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown
                                KERNEL32.dllCreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, ReleaseSemaphore, VirtualProtect, VirtualQuery, WideCharToMultiByte
                                msvcrt.dll__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _commode, _fmode, _fpreset, _initterm, _iob, _lock, _onexit, _unlock, _wcsicmp, abort, atoi, calloc, ceil, clock, exit, exp, fflush, fmod, fprintf, fputc, free, frexp, fwrite, localeconv, log, log10, malloc, memcmp, memcpy, memmove, memset, pow, qsort, setlocale, signal, strchr, strerror, strlen, strncmp, vfprintf, wcscat, wcscat_s, wcscpy, wcscpy_s, wcslen
                                No network behavior found
                                050100150200250s020406080100

                                Click to jump to process

                                050100150200250s0.00204060MB

                                Click to jump to process

                                Target ID:6
                                Start time:00:52:06
                                Start date:13/06/2023
                                Path:C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\3gonhm4wuGItR3fA4wcIUFDA54eUuD2V.exe
                                Imagebase:0x4a0000
                                File size:22715392 bytes
                                MD5 hash:3A11441161F1AA4369106EE9C9AE437B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.57480024202.00000000014E7000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                Reputation:low

                                Target ID:8
                                Start time:00:52:09
                                Start date:13/06/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff77dd80000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                No disassembly