Windows Analysis Report
Zn0uX5K1ez.exe

Overview

General Information

Sample name: Zn0uX5K1ez.exe
renamed because original name is a hash value
Original sample name: 58509394a423edb98b0b1be7f18551ab.exe
Analysis ID: 1523119
MD5: 58509394a423edb98b0b1be7f18551ab
SHA1: 4b7a8ff6ec8bd5908e306cb23d2b84ce3ff03ec3
SHA256: 78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Process Start Locations
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Zn0uX5K1ez.exe Avira: detected
Source: Zn0uX5K1ez.exe Avira: detected
Source: Zn0uX5K1ez.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\debug\explorer.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\lsass.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\SIVCnSke.log Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\crpSXvpM.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\iGvrsCDf.log Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\kRRssUig.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat Avira: detection malicious, Label: BAT/Delbat.C
Found malware configuration
Source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"C2 url": "http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads", "MUTEX": "DCR_MUTEX-I0F3xOgXin83Nkym1lQr", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
Multi AV Scanner detection for domain / URL
Source: 664930cm.n9shka.top Virustotal: Detection: 9% Perma Link
Source: http://664930cm.n9shka.top Virustotal: Detection: 9% Perma Link
Source: http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php Virustotal: Detection: 9% Perma Link
Source: http://664930cm.n9shka.top/ Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe ReversingLabs: Detection: 75%
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Virustotal: Detection: 56% Perma Link
Source: C:\Recovery\lsass.exe ReversingLabs: Detection: 75%
Source: C:\Recovery\lsass.exe Virustotal: Detection: 56% Perma Link
Source: C:\Users\user\AppData\Local\Temp\explorer.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Local\Temp\svchost.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Virustotal: Detection: 58% Perma Link
Source: C:\Users\user\Desktop\AEdPygqV.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\AEdPygqV.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\JfNMDZUx.log Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\Desktop\SIVCnSke.log Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\Desktop\admBIJoy.log Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\Desktop\crpSXvpM.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\crpSXvpM.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\iGvrsCDf.log Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\Desktop\kRRssUig.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\kRRssUig.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\mFVAeiee.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\mFVAeiee.log Virustotal: Detection: 28% Perma Link
Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe ReversingLabs: Detection: 75%
Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Virustotal: Detection: 56% Perma Link
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe ReversingLabs: Detection: 75%
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Virustotal: Detection: 56% Perma Link
Source: C:\Windows\debug\explorer.exe ReversingLabs: Detection: 75%
Source: C:\Windows\debug\explorer.exe Virustotal: Detection: 56% Perma Link
Source: C:\blockhostnet\msinto.exe ReversingLabs: Detection: 75%
Source: C:\blockhostnet\msinto.exe Virustotal: Detection: 56% Perma Link
Multi AV Scanner detection for submitted file
Source: Zn0uX5K1ez.exe ReversingLabs: Detection: 71%
Source: Zn0uX5K1ez.exe Virustotal: Detection: 73% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Joe Sandbox ML: detected
Source: C:\Windows\debug\explorer.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\admBIJoy.log Joe Sandbox ML: detected
Source: C:\Recovery\lsass.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JfNMDZUx.log Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\crpSXvpM.log Joe Sandbox ML: detected
Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\kRRssUig.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Zn0uX5K1ez.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Zn0uX5K1ez.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Zn0uX5K1ez.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: svchost.exe, 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2102681512.0000000000863000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmp, Zn0uX5K1ez.exe, svchost.exe.0.dr
Source: Binary string: :C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\User\Desktop\payload\obj\Debug\payload.pdb source: Zn0uX5K1ez.exe

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_0083A69B
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_0084C220
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0085B348 FindFirstFileExA, 2_2_0085B348
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49706 -> 37.44.238.250:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.44.238.250 37.44.238.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 162168Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 664930cm.n9shka.top
Source: unknown HTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://664930cm.n9P
Source: conhost.exe, 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002707000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://664930cm.n9shka.top
Source: conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://664930cm.n9shka.top/
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.000000000280C000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002800000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002707000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php
Source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp, msinto.exe, 0000000A.00000002.2389367064.0000000003149000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Creates a window with clipboard capturing capabilities
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
PE file contains section with special chars
Source: explorer.exe.0.dr Static PE information: section name: .'|?
Source: explorer.exe.0.dr Static PE information: section name: .h>&
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00836FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 2_2_00836FAA
Creates files inside the system directory
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Jump to behavior
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\Globalization\Time Zone\eddb19405b7ce1 Jump to behavior
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\debug\explorer.exe Jump to behavior
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\debug\7a0fd90576e088 Jump to behavior
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Jump to behavior
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\appcompat\d612fdb7e553d0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File deleted: C:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Code function: 0_2_03441690 0_2_03441690
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083848E 2_2_0083848E
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00844088 2_2_00844088
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008400B7 2_2_008400B7
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008340FE 2_2_008340FE
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008551C9 2_2_008551C9
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00847153 2_2_00847153
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008462CA 2_2_008462CA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008332F7 2_2_008332F7
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008443BF 2_2_008443BF
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083C426 2_2_0083C426
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0085D440 2_2_0085D440
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083F461 2_2_0083F461
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008477EF 2_2_008477EF
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0085D8EE 2_2_0085D8EE
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083286B 2_2_0083286B
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083E9B7 2_2_0083E9B7
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_008619F4 2_2_008619F4
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00846CDC 2_2_00846CDC
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00843E0B 2_2_00843E0B
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00854F9A 2_2_00854F9A
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083EFE2 2_2_0083EFE2
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD348A0D4C 10_2_00007FFD348A0D4C
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD348A0E43 10_2_00007FFD348A0E43
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348C0000 21_2_00007FFD348C0000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348B0D4C 21_2_00007FFD348B0D4C
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348B0E43 21_2_00007FFD348B0E43
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348E1000 21_2_00007FFD348E1000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348F1325 21_2_00007FFD348F1325
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348ED5CA 21_2_00007FFD348ED5CA
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CA9DE0 21_2_00007FFD34CA9DE0
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CABB25 21_2_00007FFD34CABB25
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 24_2_00007FFD34880D4C 24_2_00007FFD34880D4C
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 24_2_00007FFD34880E43 24_2_00007FFD34880E43
Source: C:\Recovery\lsass.exe Code function: 26_2_00007FFD348B0D4C 26_2_00007FFD348B0D4C
Source: C:\Recovery\lsass.exe Code function: 26_2_00007FFD348B0E43 26_2_00007FFD348B0E43
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 27_2_00007FFD348D1000 27_2_00007FFD348D1000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 27_2_00007FFD348DD5CA 27_2_00007FFD348DD5CA
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 27_2_00007FFD348A0D4C 27_2_00007FFD348A0D4C
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 27_2_00007FFD348A0E43 27_2_00007FFD348A0E43
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 27_2_00007FFD348B0000 27_2_00007FFD348B0000
Source: C:\Windows\debug\explorer.exe Code function: 28_2_00007FFD34890D4C 28_2_00007FFD34890D4C
Source: C:\Windows\debug\explorer.exe Code function: 28_2_00007FFD34890E43 28_2_00007FFD34890E43
Source: C:\blockhostnet\msinto.exe Code function: 30_2_00007FFD348C0D4C 30_2_00007FFD348C0D4C
Source: C:\blockhostnet\msinto.exe Code function: 30_2_00007FFD348C0E43 30_2_00007FFD348C0E43
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 31_2_00007FFD348B0000 31_2_00007FFD348B0000
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 31_2_00007FFD348D1000 31_2_00007FFD348D1000
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 31_2_00007FFD348DD5CA 31_2_00007FFD348DD5CA
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 31_2_00007FFD348A0D4C 31_2_00007FFD348A0D4C
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 31_2_00007FFD348A0E43 31_2_00007FFD348A0E43
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348B0D4C 32_2_00007FFD348B0D4C
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348B0E43 32_2_00007FFD348B0E43
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348E1000 32_2_00007FFD348E1000
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348ED5CA 32_2_00007FFD348ED5CA
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C0E06 32_2_00007FFD348C0E06
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C12F4 32_2_00007FFD348C12F4
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C1338 32_2_00007FFD348C1338
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C0000 32_2_00007FFD348C0000
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C137C 32_2_00007FFD348C137C
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C13C0 32_2_00007FFD348C13C0
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C14A9 32_2_00007FFD348C14A9
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C1A7E 32_2_00007FFD348C1A7E
Source: C:\Recovery\lsass.exe Code function: 32_2_00007FFD348C13FD 32_2_00007FFD348C13FD
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 33_2_00007FFD348A0D4C 33_2_00007FFD348A0D4C
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 33_2_00007FFD348A0E43 33_2_00007FFD348A0E43
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 33_2_00007FFD348D1000 33_2_00007FFD348D1000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 33_2_00007FFD348DD5CA 33_2_00007FFD348DD5CA
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 33_2_00007FFD348B0000 33_2_00007FFD348B0000
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348B0D4C 34_2_00007FFD348B0D4C
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348B0E43 34_2_00007FFD348B0E43
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C0E06 34_2_00007FFD348C0E06
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C12F4 34_2_00007FFD348C12F4
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C1338 34_2_00007FFD348C1338
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C0000 34_2_00007FFD348C0000
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C137C 34_2_00007FFD348C137C
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C13C0 34_2_00007FFD348C13C0
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348E1000 34_2_00007FFD348E1000
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348ED5CA 34_2_00007FFD348ED5CA
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C14A9 34_2_00007FFD348C14A9
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C1A7E 34_2_00007FFD348C1A7E
Source: C:\Windows\debug\explorer.exe Code function: 34_2_00007FFD348C13FD 34_2_00007FFD348C13FD
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\AEdPygqV.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: String function: 0084EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: String function: 0084F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: String function: 0084EB78 appears 39 times
Sample file is different than original file name gathered from version info
Source: Zn0uX5K1ez.exe, 00000000.00000000.2097208452.00000000012B2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepayload.exe4 vs Zn0uX5K1ez.exe
Source: Zn0uX5K1ez.exe, 00000000.00000002.2111357651.00000000018FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Zn0uX5K1ez.exe
Source: Zn0uX5K1ez.exe Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Zn0uX5K1ez.exe
Source: Zn0uX5K1ez.exe Binary or memory string: OriginalFilenamepayload.exe4 vs Zn0uX5K1ez.exe
Uses 32bit PE files
Source: Zn0uX5K1ez.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: msinto.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: backgroundTaskHost.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@44/294@1/1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00836C74 GetLastError,FormatMessageW, 2_2_00836C74
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 2_2_0084A6C2
Source: C:\blockhostnet\msinto.exe File created: C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zn0uX5K1ez.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-I0F3xOgXin83Nkym1lQr
Source: C:\Windows\debug\explorer.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\explorer.exe
Source: unknown Process created: C:\Windows\debug\explorer.exe
Source: unknown Process created: C:\Windows\debug\explorer.exe
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Command line argument: sfxname 2_2_0084DF1E
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Command line argument: sfxstime 2_2_0084DF1E
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Command line argument: STARTDLG 2_2_0084DF1E
Source: Zn0uX5K1ez.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Zn0uX5K1ez.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: conhost.exe, 00000015.00000002.3554414073.000000001BE72000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3554414073.000000001BE6A000.00000004.00000020.00020000.00000000.sdmp, AzFu3DMnII.21.dr, KBpeOZl6LK.21.dr, 8B9aVxycY9.21.dr, 5QWAKoy45Q.21.dr, J3zegzBECf.21.dr, 9nUVX9qu0n.21.dr, UjjiqG5BgE.21.dr, lWE4TC1R9e.21.dr, TY8wXaUeS2.21.dr, mWJ8NP0pgg.21.dr, aUDfp3N2kY.21.dr, Vk3Mw1W2Qt.21.dr, VyJoKrdJMr.21.dr, wQGTEPWHw7.21.dr, B91mR4iHlu.21.dr, C24CrujGfu.21.dr, b8i0avu0ST.21.dr, OHWh9jYDpn.21.dr, QAJjLADhO2.21.dr, ak3B5ey2Im.21.dr, 1DxqRxk8bq.21.dr, Br1PSAOT8a.21.dr, jS9YrnT28m.21.dr, 5o7cJ7Im4F.21.dr, o10jWHG1nh.21.dr, g0LcWYZoL5.21.dr, U787fSRxaR.21.dr, HVm4DAR9Q6.21.dr, X1XyXuc1da.21.dr, psvsWE0Pyu.21.dr, eRmxc4BNpu.21.dr, 4OIxrbYGAr.21.dr, 0Vly4rb0Si.21.dr, 3XlCUqcTzr.21.dr, ILxWYyh7K0.21.dr, TK1GnnCPbs.21.dr, gus8gVV6Z1.21.dr, 9WjvQxChlE.21.dr, DXmKq18qjf.21.dr, gQ6v8ORoA0.21.dr, kLpULUaATZ.21.dr, ew1vPjSH17.21.dr, ZEEkdFsWOI.21.dr, nhADnqzdYk.21.dr, rcdCKsYyfx.21.dr, 6EGHrLU0vt.21.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Zn0uX5K1ez.exe ReversingLabs: Detection: 71%
Source: Zn0uX5K1ez.exe Virustotal: Detection: 73%
Source: unknown Process created: C:\Users\user\Desktop\Zn0uX5K1ez.exe "C:\Users\user\Desktop\Zn0uX5K1ez.exe"
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe"
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe"
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe"
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP"
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP"
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
Source: unknown Process created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
Source: unknown Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: unknown Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
Source: unknown Process created: C:\Windows\debug\explorer.exe "C:\Windows\debug\explorer.exe"
Source: unknown Process created: C:\blockhostnet\msinto.exe "C:\blockhostnet\msinto.exe"
Source: unknown Process created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
Source: unknown Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: unknown Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
Source: unknown Process created: C:\Windows\debug\explorer.exe "C:\Windows\debug\explorer.exe"
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: version.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: wldp.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: profapi.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: propsys.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: edputil.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: netutils.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: slc.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: userenv.dll Jump to behavior
Source: C:\blockhostnet\msinto.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ksuser.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: avrt.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: dwrite.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: audioses.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: powrprof.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: umpdc.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: msacm32.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: midimap.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: dpapi.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: mscoree.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: apphelp.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: version.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: uxtheme.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: windows.storage.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: wldp.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: profapi.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: cryptsp.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: rsaenh.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: cryptbase.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe Section loaded: apphelp.dll
Source: C:\Recovery\lsass.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe Section loaded: version.dll
Source: C:\Recovery\lsass.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: sspicli.dll
Source: C:\Windows\debug\explorer.exe Section loaded: mscoree.dll
Source: C:\Windows\debug\explorer.exe Section loaded: apphelp.dll
Source: C:\Windows\debug\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\debug\explorer.exe Section loaded: version.dll
Source: C:\Windows\debug\explorer.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\debug\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\debug\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\debug\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\debug\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\debug\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\debug\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\debug\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\debug\explorer.exe Section loaded: rsaenh.dll
Source: C:\Windows\debug\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\debug\explorer.exe Section loaded: sspicli.dll
Source: C:\blockhostnet\msinto.exe Section loaded: mscoree.dll
Source: C:\blockhostnet\msinto.exe Section loaded: kernel.appcore.dll
Source: C:\blockhostnet\msinto.exe Section loaded: version.dll
Source: C:\blockhostnet\msinto.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\blockhostnet\msinto.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\blockhostnet\msinto.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\blockhostnet\msinto.exe Section loaded: uxtheme.dll
Source: C:\blockhostnet\msinto.exe Section loaded: windows.storage.dll
Source: C:\blockhostnet\msinto.exe Section loaded: wldp.dll
Source: C:\blockhostnet\msinto.exe Section loaded: profapi.dll
Source: C:\blockhostnet\msinto.exe Section loaded: cryptsp.dll
Source: C:\blockhostnet\msinto.exe Section loaded: rsaenh.dll
Source: C:\blockhostnet\msinto.exe Section loaded: cryptbase.dll
Source: C:\blockhostnet\msinto.exe Section loaded: sspicli.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: mscoree.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: version.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: uxtheme.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: windows.storage.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: wldp.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: profapi.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: cryptsp.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: rsaenh.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: cryptbase.dll
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe Section loaded: version.dll
Source: C:\Recovery\lsass.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Section loaded: sspicli.dll
Source: C:\Windows\debug\explorer.exe Section loaded: mscoree.dll
Source: C:\Windows\debug\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\debug\explorer.exe Section loaded: version.dll
Source: C:\Windows\debug\explorer.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\debug\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\debug\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\debug\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\debug\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\debug\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\debug\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\debug\explorer.exe Section loaded: rsaenh.dll
Source: C:\Windows\debug\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\debug\explorer.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Zn0uX5K1ez.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Zn0uX5K1ez.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Zn0uX5K1ez.exe Static file information: File size 8034816 > 1048576
Source: Zn0uX5K1ez.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x79c400
Source: Zn0uX5K1ez.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Zn0uX5K1ez.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: svchost.exe, 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2102681512.0000000000863000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmp, Zn0uX5K1ez.exe, svchost.exe.0.dr
Source: Binary string: :C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\User\Desktop\payload\obj\Debug\payload.pdb source: Zn0uX5K1ez.exe
Compiles C# or VB.Net code
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline" Jump to behavior
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .SnO
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File created: C:\blockhostnet\__tmp_rar_sfx_access_check_5261625 Jump to behavior
PE file contains sections with non-standard names
Source: svchost.exe.0.dr Static PE information: section name: .didat
Source: explorer.exe.0.dr Static PE information: section name: .'|?
Source: explorer.exe.0.dr Static PE information: section name: .h>&
Source: explorer.exe.0.dr Static PE information: section name: .SnO
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084F640 push ecx; ret 2_2_0084F653
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084EB78 push eax; ret 2_2_0084EB96
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD348A474F pushad ; iretd 10_2_00007FFD348A4755
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD348A4BAC push es; retf 10_2_00007FFD348A4BAF
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C9E64E push edx; ret 10_2_00007FFD34C9E652
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C9EDC0 push ecx; ret 10_2_00007FFD34C9EDC1
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C9E74C push ecx; ret 10_2_00007FFD34C9E750
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C9E2BB push es; retf 10_2_00007FFD34C9E2BF
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C9E6C4 push esi; ret 10_2_00007FFD34C9E6C5
Source: C:\blockhostnet\msinto.exe Code function: 10_2_00007FFD34C92825 push E8FFFFFFh; retf 10_2_00007FFD34C92831
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348C1DD6 push ds; iretd 21_2_00007FFD348C1DD7
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348B474F pushad ; iretd 21_2_00007FFD348B4755
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348B4BAC push es; retf 21_2_00007FFD348B4BAF
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348E7DF5 pushad ; iretd 21_2_00007FFD348E7E1D
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD348D6CD2 pushfd ; iretd 21_2_00007FFD348D6CE1
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE135 push edi; ret 21_2_00007FFD34CAE136
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE861 push esp; ret 21_2_00007FFD34CAE862
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE634 push edi; ret 21_2_00007FFD34CAE635
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE655 push edx; ret 21_2_00007FFD34CAE659
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE1FB push ebp; ret 21_2_00007FFD34CAE20B
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE1DB push edi; ret 21_2_00007FFD34CAE1DC
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAED6E push eax; ret 21_2_00007FFD34CAED77
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE560 push edi; ret 21_2_00007FFD34CAE561
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE999 push ebx; ret 21_2_00007FFD34CAE9A6
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE2B7 push ebp; ret 21_2_00007FFD34CAE2C7
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE6B5 push ecx; ret 21_2_00007FFD34CAE6C5
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE678 push edx; ret 21_2_00007FFD34CAE679
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CA2825 push E8FFFFFFh; retf 21_2_00007FFD34CA2831
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Code function: 21_2_00007FFD34CAE793 push ecx; ret 21_2_00007FFD34CAE79A
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 24_2_00007FFD3488474F pushad ; iretd 24_2_00007FFD34884755
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Code function: 24_2_00007FFD34884BAC push es; retf 24_2_00007FFD34884BAF
Source: msinto.exe.2.dr Static PE information: section name: .text entropy: 7.5421860659259625
Source: backgroundTaskHost.exe.10.dr Static PE information: section name: .text entropy: 7.5421860659259625

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Temp\explorer.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Recovery\lsass.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\debug\explorer.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\debug\explorer.exe
Source: unknown Executable created and started: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Drops PE files
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\mFVAeiee.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Temp\explorer.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\iGvrsCDf.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\AEdPygqV.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\SIVCnSke.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Recovery\lsass.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\debug\explorer.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\kRRssUig.log Jump to dropped file
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\JfNMDZUx.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\crpSXvpM.log Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File created: C:\blockhostnet\msinto.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\admBIJoy.log Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Windows\debug\explorer.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\AEdPygqV.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\crpSXvpM.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\SIVCnSke.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe File created: C:\Users\user\Desktop\JfNMDZUx.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\mFVAeiee.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\kRRssUig.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\iGvrsCDf.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File created: C:\Users\user\Desktop\admBIJoy.log Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Creates an undocumented autostart registry key
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\blockhostnet\msinto.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msinto Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msinto Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msinto Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msinto Jump to behavior
Source: C:\blockhostnet\msinto.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msinto Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Memory written: PID: 3460 base: 7FFDB4590008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Memory written: PID: 3460 base: 7FFDB442D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Memory written: PID: 3460 base: 7FFDB45A000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Memory written: PID: 3460 base: 7FFDB445CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\blockhostnet\msinto.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\debug\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Special instruction interceptor: First address: 14076D2EF instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Special instruction interceptor: First address: 14076D336 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Memory allocated: 1AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Memory allocated: 3620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Memory allocated: 3460000 memory reserve | memory write watch Jump to behavior
Source: C:\blockhostnet\msinto.exe Memory allocated: 11F0000 memory reserve | memory write watch Jump to behavior
Source: C:\blockhostnet\msinto.exe Memory allocated: 1AF30000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: 21C0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: 1A440000 memory reserve | memory write watch
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Memory allocated: 980000 memory reserve | memory write watch
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Memory allocated: 1A550000 memory reserve | memory write watch
Source: C:\Recovery\lsass.exe Memory allocated: 17E0000 memory reserve | memory write watch
Source: C:\Recovery\lsass.exe Memory allocated: 1B2A0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: 1AFF0000 memory reserve | memory write watch
Source: C:\Windows\debug\explorer.exe Memory allocated: 9A0000 memory reserve | memory write watch
Source: C:\Windows\debug\explorer.exe Memory allocated: 1A480000 memory reserve | memory write watch
Source: C:\blockhostnet\msinto.exe Memory allocated: 1320000 memory reserve | memory write watch
Source: C:\blockhostnet\msinto.exe Memory allocated: 1AF90000 memory reserve | memory write watch
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Memory allocated: D50000 memory reserve | memory write watch
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Memory allocated: 1A820000 memory reserve | memory write watch
Source: C:\Recovery\lsass.exe Memory allocated: FE0000 memory reserve | memory write watch
Source: C:\Recovery\lsass.exe Memory allocated: 1ABA0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: D50000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Memory allocated: 1AC10000 memory reserve | memory write watch
Source: C:\Windows\debug\explorer.exe Memory allocated: 12C0000 memory reserve | memory write watch
Source: C:\Windows\debug\explorer.exe Memory allocated: 1B120000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\blockhostnet\msinto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599763
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599484
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 598922
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 598531
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597922
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597656
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597031
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 596766
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 596531
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595906
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595672
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595234
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 594266
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 593641
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 593188
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 592609
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 592250
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 591375
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590906
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590567
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590047
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 589813
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 589150
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 588844
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 588484
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587911
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587563
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587125
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 586375
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 586047
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585759
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585625
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585466
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585339
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585234
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585122
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585011
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584890
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584750
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584639
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584526
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584279
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583958
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583813
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583688
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583563
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583453
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\debug\explorer.exe Thread delayed: delay time: 922337203685477
Source: C:\blockhostnet\msinto.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Window / User API: threadDelayed 8091
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Window / User API: threadDelayed 1498
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Dropped PE file which has not been started: C:\Users\user\Desktop\mFVAeiee.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Dropped PE file which has not been started: C:\Users\user\Desktop\iGvrsCDf.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\AEdPygqV.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\SIVCnSke.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Dropped PE file which has not been started: C:\Users\user\Desktop\kRRssUig.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\JfNMDZUx.log Jump to dropped file
Source: C:\blockhostnet\msinto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\crpSXvpM.log Jump to dropped file
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Dropped PE file which has not been started: C:\Users\user\Desktop\admBIJoy.log Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe TID: 5916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\blockhostnet\msinto.exe TID: 968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 1088 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -599888s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -599763s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -599484s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -598922s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3380 Thread sleep time: -32400000s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -598531s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -597922s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -597656s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -597031s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -596766s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -596531s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -595906s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -595672s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -595234s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -594969s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -594266s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -593641s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -593188s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -592609s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -592250s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -591375s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -590906s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -590567s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -590047s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -589813s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -589150s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -588844s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -588484s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -587911s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -587563s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -587125s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -586375s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -586047s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585759s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585625s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585466s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585339s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585234s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585122s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -585011s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -584890s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -584750s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -584639s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -584526s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -584279s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -583958s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -583813s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -583688s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -583563s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632 Thread sleep time: -583453s >= -30000s
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 1340 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\debug\explorer.exe TID: 5924 Thread sleep time: -922337203685477s >= -30000s
Source: C:\blockhostnet\msinto.exe TID: 7008 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe TID: 400 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 4972 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 2192 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\debug\explorer.exe Last function: Thread delayed
Source: C:\blockhostnet\msinto.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\debug\explorer.exe File Volume queried: C:\ FullSizeInformation
Source: C:\blockhostnet\msinto.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\debug\explorer.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_0083A69B
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_0084C220
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0085B348 FindFirstFileExA, 2_2_0085B348
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084E6A3 VirtualQuery,GetSystemInfo, 2_2_0084E6A3
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\blockhostnet\msinto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599763
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 599484
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 598922
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 598531
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597922
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597656
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 597031
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 596766
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 596531
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595906
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595672
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 595234
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 594266
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 593641
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 593188
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 592609
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 592250
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 591375
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590906
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590567
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 590047
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 589813
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 589150
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 588844
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 588484
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587911
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587563
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 587125
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 586375
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 586047
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585759
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585625
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585466
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585339
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585234
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585122
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 585011
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584890
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584750
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584639
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584526
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 584279
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583958
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583813
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583688
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583563
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 583453
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\debug\explorer.exe Thread delayed: delay time: 922337203685477
Source: C:\blockhostnet\msinto.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\blockhostnet\msinto.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: q9BeTagoKR.21.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: q9BeTagoKR.21.dr Binary or memory string: discord.comVMware20,11696487552f
Source: q9BeTagoKR.21.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: q9BeTagoKR.21.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wscript.exe, 00000005.00000003.2351888371.00000000027ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: q9BeTagoKR.21.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: global block list test formVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: conhost.exe, 00000015.00000002.3417373379.0000000012441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: utyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: q9BeTagoKR.21.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: w32tm.exe, 00000014.00000002.2439210308.0000026B5CDB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: q9BeTagoKR.21.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: q9BeTagoKR.21.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: q9BeTagoKR.21.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: conhost.exe, 00000015.00000002.3548003600.000000001AD10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|][
Source: q9BeTagoKR.21.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: q9BeTagoKR.21.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: q9BeTagoKR.21.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: q9BeTagoKR.21.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: q9BeTagoKR.21.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: q9BeTagoKR.21.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: q9BeTagoKR.21.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: q9BeTagoKR.21.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: q9BeTagoKR.21.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: q9BeTagoKR.21.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\AppData\Local\Temp\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\explorer.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Handle closed: DEADC0DE
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0084F838
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00857DEE mov eax, dword ptr fs:[00000030h] 2_2_00857DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0085C030 GetProcessHeap, 2_2_0085C030
Enables debug privileges
Source: C:\blockhostnet\msinto.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0084F838
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084F9D5 SetUnhandledExceptionFilter, 2_2_0084F9D5
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0084FBCA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_00858EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00858EBD
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQuerySystemInformation: Direct from: 0x1408B943E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtProtectVirtualMemory: Indirect: 0x14033F642 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQueryInformationProcess: Direct from: 0x1408B940A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQueryInformationProcess: Direct from: 0x1408B93D6 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtProtectVirtualMemory: Direct from: 0x1408B946B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQuerySystemInformation: Direct from: 0x1408B94AD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQuerySystemInformation: Direct from: 0x1408B93AE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe NtQuerySystemInformation: Direct from: 0x1408B93CD Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Process created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline" Jump to behavior
Source: C:\blockhostnet\msinto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .1",5,1,"","user","675052","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\msbuild\\Microsoft\\Windows Workflow Foundation","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","Ne
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager`
Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","675052","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\msbuild\\Microsoft\\Windows Workflow Foundation","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","New York / New York City"," / "]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084F654 cpuid 2_2_0084F654
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: GetLocaleInfoW,GetNumberFormatW, 2_2_0084AF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Queries volume information: C:\Users\user\Desktop\Zn0uX5K1ez.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\blockhostnet\msinto.exe Queries volume information: C:\blockhostnet\msinto.exe VolumeInformation Jump to behavior
Source: C:\blockhostnet\msinto.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Queries volume information: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe VolumeInformation
Source: C:\Recovery\lsass.exe Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
Source: C:\Windows\debug\explorer.exe Queries volume information: C:\Windows\debug\explorer.exe VolumeInformation
Source: C:\blockhostnet\msinto.exe Queries volume information: C:\blockhostnet\msinto.exe VolumeInformation
Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe Queries volume information: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe VolumeInformation
Source: C:\Recovery\lsass.exe Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
Source: C:\Windows\debug\explorer.exe Queries volume information: C:\Windows\debug\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0084DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 2_2_0084DF1E
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_0083B146 GetVersionExW, 2_2_0083B146
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msinto.exe PID: 6248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 1924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hPeZTHbzcsUskSflSyozwAqUA.exe PID: 3352, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: Zn0uX5K1ez.exe, type: SAMPLE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2096226398.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.2352080688.0000000000A02000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119459063.0000000004625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
Source: Yara match File source: C:\blockhostnet\msinto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Windows\debug\explorer.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\lsass.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: Zn0uX5K1ez.exe, type: SAMPLE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
Source: Yara match File source: C:\blockhostnet\msinto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Windows\debug\explorer.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\lsass.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msinto.exe PID: 6248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 1924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hPeZTHbzcsUskSflSyozwAqUA.exe PID: 3352, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: Zn0uX5K1ez.exe, type: SAMPLE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2096226398.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.2352080688.0000000000A02000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2119459063.0000000004625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
Source: Yara match File source: C:\blockhostnet\msinto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Windows\debug\explorer.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\lsass.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: Zn0uX5K1ez.exe, type: SAMPLE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
Source: Yara match File source: C:\blockhostnet\msinto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Windows\debug\explorer.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\lsass.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523119 Sample: Zn0uX5K1ez.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 100 664930cm.n9shka.top 2->100 104 Multi AV Scanner detection for domain / URL 2->104 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 18 other signatures 2->110 12 Zn0uX5K1ez.exe 4 2->12         started        16 hPeZTHbzcsUskSflSyozwAqUA.exe 2->16         started        18 lsass.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 file5 90 C:\Users\user\AppData\Local\...\svchost.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\Local\...\explorer.exe, PE32+ 12->92 dropped 94 C:\Users\user\AppData\...\Zn0uX5K1ez.exe.log, ASCII 12->94 dropped 138 Drops PE files with benign system names 12->138 22 svchost.exe 3 6 12->22         started        26 explorer.exe 1 12->26         started        140 Antivirus detection for dropped file 16->140 142 Multi AV Scanner detection for dropped file 16->142 144 Machine Learning detection for dropped file 16->144 signatures6 process7 file8 86 C:\blockhostnet\msinto.exe, PE32 22->86 dropped 88 C:\...\dbHnJe8FTGPofdGpjq0jOMhg.vbe, data 22->88 dropped 122 Antivirus detection for dropped file 22->122 124 Multi AV Scanner detection for dropped file 22->124 126 Machine Learning detection for dropped file 22->126 28 wscript.exe 1 22->28         started        128 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->128 130 Query firmware table information (likely to detect VMs) 26->130 132 Tries to evade analysis by execution special instruction (VM detection) 26->132 134 3 other signatures 26->134 31 conhost.exe 26->31         started        33 cmd.exe 1 26->33         started        signatures9 process10 signatures11 136 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->136 35 cmd.exe 1 28->35         started        process12 process13 37 msinto.exe 15 33 35->37         started        41 conhost.exe 35->41         started        file14 78 C:\Windows\debug\explorer.exe, PE32 37->78 dropped 80 C:\Windows\...\hPeZTHbzcsUskSflSyozwAqUA.exe, PE32 37->80 dropped 82 C:\Windows\...\backgroundTaskHost.exe, PE32 37->82 dropped 84 8 other malicious files 37->84 dropped 114 Multi AV Scanner detection for dropped file 37->114 116 Creates an undocumented autostart registry key 37->116 118 Creates multiple autostart registry keys 37->118 120 2 other signatures 37->120 43 cmd.exe 37->43         started        45 csc.exe 4 37->45         started        49 csc.exe 4 37->49         started        signatures15 process16 file17 51 conhost.exe 43->51         started        56 conhost.exe 43->56         started        58 chcp.com 43->58         started        60 w32tm.exe 43->60         started        96 C:\Windows\...\SecurityHealthSystray.exe, PE32 45->96 dropped 146 Infects executable files (exe, dll, sys, html) 45->146 62 conhost.exe 45->62         started        64 cvtres.exe 45->64         started        98 C:\Program Files (x86)\...\msedge.exe, PE32 49->98 dropped 66 conhost.exe 49->66         started        68 cvtres.exe 1 49->68         started        signatures18 process19 dnsIp20 102 664930cm.n9shka.top 37.44.238.250, 49706, 49707, 49708 HARMONYHOSTING-ASFR France 51->102 70 C:\Users\user\Desktop\mFVAeiee.log, PE32 51->70 dropped 72 C:\Users\user\Desktop\kRRssUig.log, PE32 51->72 dropped 74 C:\Users\user\Desktop\iGvrsCDf.log, PE32 51->74 dropped 76 C:\Users\user\Desktop\admBIJoy.log, PE32 51->76 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 51->112 file21 signatures22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.44.238.250
 664930cm.n9shka.top France
49434 HARMONYHOSTING-ASFR true

Contacted Domains

Name IP Active
664930cm.n9shka.top 37.44.238.250 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php true unknown